Cross-Site Request Forgery in Hive Support Plugin for WordPress
CVE-2025-5019

5.4MEDIUM

What is CVE-2025-5019?

The Hive Support plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation within the hs_update_ai_chat_settings() function. This flaw allows unauthenticated attackers to manipulate the plugin's AI/chat settings, including API keys, by tricking site administrators into issuing forged requests. This could lead to potential data leaks or misdirection of notifications to unauthorized endpoints.

Affected Version(s)

Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress * <= 1.2.4

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vo Thi Ngoc Nhi
.
CVE-2025-5019 : Cross-Site Request Forgery in Hive Support Plugin for WordPress