CVE-2025-31383: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in FrescoChat Live Chat, affecting versions through 3.2.6. The vulnerability was reported by researcher johska on March 30, 2025, and was officially published on April 9, 2025. This security issue has been assigned CVE-2025-31383 and allows for Stored Cross-Site Scripting (XSS) attacks (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and requires no authentication to exploit, though it does require user interaction (NVD, Patchstack).

This vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The combination of CSRF with Stored XSS capabilities increases the potential impact, as it could lead to persistent malicious code execution in the context of other users' sessions (Patchstack).

As of the vulnerability disclosure, no official fix is available for versions through 3.2.6. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited. Patchstack has assessed that a virtual patch is unnecessary for this vulnerability (Patchstack).