CVE-2025-5019
Hive Support <= 1.2.4 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Hive Support <= 1.2.4 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function
The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Reserved 2025-05-20 | Published 2025-06-06 | Updated 2025-06-06 | Assigner WordfenceCWE-352 Cross-Site Request Forgery (CSRF)
| 2025-06-05: | Disclosed |
Vo Thi Ngoc Nhi
www.wordfence.com/...-da66-4223-a6bf-dc9381687ddd?source=cve
plugins.trac.wordpress.org/...ass-hive-support-chat-ajax.php
wordpress.org/plugins/hive-support/
plugins.trac.wordpress.org/...ass-hive-support-chat-ajax.php
Support options
