CVE-2025-64240
Description
Cross-Site Request Forgery (CSRF) vulnerability in freshchat Freshchat freshchat allows Cross Site Request Forgery.This issue affects Freshchat: from n/a through <= 2.3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Request Forgery (CSRF) vulnerability in Freshchat WordPress plugin up to 2.3.4 allows attackers to force privileged users to perform unintended actions.
The Freshchat plugin for WordPress up to version 2.3.4 is vulnerable to Cross-Site Request Forgery (CSRF) [1]. This flaw arises from insufficient validation of HTTP requests, allowing unauthorized commands to be transmitted from a user that the website trusts.
Exploitation requires user interaction; a privileged administrator must be tricked into clicking a malicious link or visiting a crafted page [1]. An attacker can craft a request that performs actions under the victim's session without their consent, leveraging the victim's authenticated state.
Successful exploitation could enable an attacker to force the administrator into performing unintended actions, such as changing plugin settings, deactivating the plugin, or other administrative operations [1]. This can compromise the integrity of the WordPress site.
The vulnerability is actively being used in mass-exploit campaigns [1]. As immediate action, users are advised to update the plugin to a patched version beyond 2.3.4. If updating is not possible, contacting the hosting provider or web developer is recommended.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.3.4+ 1 more
- (no CPE)range: <=2.3.4
- (no CPE)range: <=2.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.