CVE-2025-5019: 
WordPress vulnerability analysis and mitigation

The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress is affected by a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.2.2. The vulnerability was discovered and disclosed on June 6, 2025, affecting the plugin's AI chat settings functionality (NVD, Wiz).

The vulnerability stems from missing or incorrect nonce validation in the hsupdateaichatsettings() function. The CVSS v3.1 base score is 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to reconfigure the plugin's AI/chat settings, including API keys. Additionally, attackers can potentially redirect notifications or leak data to attacker-controlled endpoints, provided they can trick a site administrator into performing specific actions like clicking on a malicious link (Wiz).

The plugin has been temporarily closed as of June 4, 2025, pending a full security review. Users are advised to wait for an updated version that includes proper nonce validation for the affected function (WordPress Plugin).