CVE-2024-12541

Name of the Vulnerable Software and Affected Versions Chative Live chat and Chatbot plugin for WordPress versions up to, and including, 1.1

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the add chative widget action() function. This allows unauthenticated attackers to change the channel ID or organization ID via a forged request if they can trick a site administrator into performing an action like clicking on a link. This could lead to redirecting the live chat widget to an attacker-controlled channel.

Recommendations For Chative Live chat and Chatbot plugin for WordPress versions up to, and including, 1.1: As a temporary workaround, consider disabling the add chative widget action() function until a patch is available. Restrict access to the live chat widget to minimize the risk of exploitation. Avoid using the channel ID and organization ID parameters in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.