CVE-2023-49821: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the LiveChat – WP live chat plugin for WordPress, affecting versions up to 4.5.15. The vulnerability was identified on December 5, 2023, by security researcher Brandon James Roldan (WPScan, Patchstack).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and lacks proper CSRF checks in certain areas of the plugin. It received varying CVSS scores, with NVD assigning a high severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) while Patchstack rated it as medium severity with a score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) (NVD).

The vulnerability could allow attackers to make logged-in users perform unwanted actions through CSRF attacks. This security issue falls under the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan).

The vulnerability has been fixed in version 4.5.16 of the LiveChat WordPress plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).