Cross-Site Request Forgery in Hive Support Plugin for WordPress
CVE-2025-5019

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Hive Support | Ai-powered Help Desk, Live Chat & Ai Chat Bot Plugin For WordPress
Vendor: CVE Published:; 6 June 2025

What is CVE-2025-5019?

The Hive Support plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation within the hs_update_ai_chat_settings() function. This flaw allows unauthenticated attackers to manipulate the plugin's AI/chat settings, including API keys, by tricking site administrators into issuing forged requests. This could lead to potential data leaks or misdirection of notifications to unauthorized endpoints.

Affected Version(s)

Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress * <= 1.2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/hive-support/t...

https://wordpress.org/plugins/hive-support/#developers

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2025
Vulnerability Reserved
May 20, 2025

Credit

Vo Thi Ngoc Nhi