CVE-2025-62975

Vulnerability

Overview A Cross-Site Request Forgery (CSRF) vulnerability exists in the Raychat WordPress plugin, affecting versions from n/a through 2.2.1 [1]. The root cause is a lack of proper CSRF token validation on sensitive actions, allowing an attacker to craft malicious requests that are executed in the context of an authenticated administrator or other privileged user.

Exploitation

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a form while authenticated to the WordPress site [1]. The attacker does not need any special privileges but relies on the victim's session [1]. This is a classic CSRF attack vector.

Impact

Successful exploitation could allow an attacker to force the victim to perform unintended actions, such as changing plugin settings or other administrative tasks, under the victim's current authentication [1]. The CVSS v3 score is 4.3 (Medium), indicating a moderate severity.

Mitigation

The vendor has not released a patch as of the publication date. Users are advised to update the plugin immediately if a fix becomes available, or to contact their hosting provider for assistance [1]. The vulnerability is noted as being used in mass-exploit campaigns, so prompt action is recommended.