CVE-2025-32624 HIGH

CVE-2025-32624: WordPress Czater.pl – live chat i telefon plugin <= 1.0.5 - CSRF to Stored Cross Site Scripting (XSS) vulnerability

Vendor Czater
Product Czater.pl – live chat i telefon
Weakness CWE-862 · Missing authorization
Published April 9, 2025
Last update April 28, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in czater Czater.pl – live chat i telefon czater allows Cross Site Request Forgery.This issue affects Czater.pl – live chat i telefon: from n/a through <= 1.0.5.

Explanation of Vulnerability in Simple Terms

02Summary

Czater.pl live chat lacks proper authorization checks, allowing an unauthenticated attacker to access or modify sensitive functionality by visiting a malicious link. The attacker needs the victim to click the link. This affects versions up to 1.0.5 and can leak data or alter site content.

What an attacker can do

03Attacker Capabilities

Access or modify sensitive features without authentication by tricking a user into clicking a link.

Potential impact on your site

04Site Impact

Unauthorized users can read or change chat data and settings if a visitor clicks a malicious link.

Conditions required to exploit

05Prerequisites

Victim must click an attacker-supplied link; no authentication required from the attacker.

Key dates

06Disclosure timeline

April 9, 2025 CVE published
April 28, 2026 Record updated