{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5019", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-20T22:32:39.398Z", "datePublished": "2025-06-06T06:42:49.240Z", "dateUpdated": "2026-04-08T16:52:16.318Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:16.318Z"}, "affected": [{"vendor": "hivesupport", "product": "Hive Support | AI-Powered Help Desk, Live Chat and Chatbot", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin\u2019s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Hive Support <= 1.2.5 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50542e5e-da66-4223-a6bf-dc9381687ddd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/hive-support/tags/1.2.4/backend/class-hive-support-chat-ajax.php#L146"}, {"url": "https://wordpress.org/plugins/hive-support/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/hive-support/tags/1.2.4/backend/class-hive-support-chat-ajax.php#L9"}, {"url": "https://plugins.trac.wordpress.org/changeset/3311984"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Vo Thi Ngoc Nhi"}], "timeline": [{"time": "2025-06-05T17:48:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-06T15:43:39.716022Z", "id": "CVE-2025-5019", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T16:09:39.910Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5019", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-06T15:43:39.716022Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T15:43:41.401Z"}}], "cna": {"title": "Hive Support <= 1.2.5 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function", "credits": [{"lang": "en", "type": "finder", "value": "Vo Thi Ngoc Nhi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "hivesupport", "product": "Hive Support | AI-Powered Help Desk, Live Chat and Chatbot", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-05T17:48:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50542e5e-da66-4223-a6bf-dc9381687ddd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/hive-support/tags/1.2.4/backend/class-hive-support-chat-ajax.php#L146"}, {"url": "https://wordpress.org/plugins/hive-support/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/hive-support/tags/1.2.4/backend/class-hive-support-chat-ajax.php#L9"}, {"url": "https://plugins.trac.wordpress.org/changeset/3311984"}], "descriptions": [{"lang": "en", "value": "The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin\u2019s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:16.318Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5019", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:16.318Z", "dateReserved": "2025-05-20T22:32:39.398Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-06T06:42:49.240Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin\u2019s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Hive Support | AI-Powered Help Desk, Live Chat &amp; AI Chat Bot Plugin for WordPress para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.2.2 incluida. Esto se debe a una validaci\u00f3n de nonce incompleta o incorrecta en la funci\u00f3n hs_update_ai_chat_settings(). Esto permite que atacantes no autenticados reconfiguren la configuraci\u00f3n de IA/chat del complemento (incluidas las claves API) y, potencialmente, redirijan notificaciones o filtren datos a endpoints controlados por el atacante mediante una solicitud falsificada, siempre que puedan enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-5019", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-06T07:15:28.157", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/hive-support/tags/1.2.4/backend/class-hive-support-chat-ajax.php#L146"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/hive-support/tags/1.2.4/backend/class-hive-support-chat-ajax.php#L9"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3311984"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/hive-support/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50542e5e-da66-4223-a6bf-dc9381687ddd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:08:45.217113+00:00", "value": {"mitigation_remediation": ["Update the Hive Support plugin to the latest version (1.2.6 or later) to restore proper nonce validation in hs_update_ai_chat_settings().", "Disable the hs_update_ai_chat_settings AJAX action or restrict it to properly authenticated requests only.", "If patching or disabling is not immediately possible, configure a firewall rule or security plugin to block unauthenticated AJAX requests to the plugin\u2019s admin URLs until the issue is resolved."], "summary": {"action": "Apply Patch", "impact": "Data Leakage and Misconfiguration of AI Chat Settings"}, "threat_synthesis": {"affected_systems": "Products affected are Hive Support | AI\u2011Powered Help Desk, Live Chat & AI Chat Bot plugin for WordPress, all versions up to and including 1.2.5. Any WordPress installation using these plugin versions and the associated admin AJAX endpoint is vulnerable.", "description_and_impact": "The Hive Support plugin suffers from a Cross\u2011Site Request Forgery flaw, identified as CWE\u2011352, caused by missing or incorrect nonce validation in the hs_update_ai_chat_settings() function. This allows an unauthenticated attacker to craft a forged request that an administrator may execute by clicking a link or visiting a page, leading to unauthorized reconfiguration of the plugin\u2019s AI chat settings, such as API keys. The attacker could then redirect notifications or leak data to attacker\u2011controlled endpoints. The primary impact is data leakage and potential loss of control over the chat functionality, which could expose sensitive information or allow further exploitation of the site.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated site administrator to unknowingly execute a crafted request, making it a user\u2011interaction dependent CSRF attack. While the risk is moderate, the potential for data exfiltration motivates prompt remediative action."}}}}, "created": "2026-04-22T04:15:07.538168+00:00", "updated": "2026-04-22T04:15:07.538181+00:00", "vendors": []}