Skip to main content

CVE-2025-4855: CWE-639 Authorization Bypass Through User-Controlled Key in Schiocco Support Board

Critical
VulnerabilityCVE-2025-4855cvecve-2025-4855cwe-639
Published: Tue Jul 08 2025 (07/08/2025, 23:22:49 UTC)
Source: CVE Database V5
Vendor/Project: Schiocco
Product: Support Board

Description

The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.

AI-Powered Analysis

AILast updated: 07/08/2025, 23:54:26 UTC

Technical Analysis

CVE-2025-4855 is a critical vulnerability affecting the Support Board plugin for WordPress, developed by Schiocco. This vulnerability arises from the use of hardcoded default secrets within the sb_encryption() function across all versions up to and including 3.8.0. The presence of these hardcoded secrets allows unauthenticated attackers to bypass authorization controls and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. Essentially, attackers can manipulate user-controlled keys to gain unauthorized access, enabling them to read, modify, or delete sensitive data managed by the plugin. Furthermore, this vulnerability facilitates exploitation of CVE-2025-4828 and potentially other related functions without requiring any authentication or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating a fundamental flaw in how authorization checks are implemented. The CVSS v3.1 score of 9.8 (critical) reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. No patches are currently linked, suggesting that mitigation or updates may not yet be available, increasing the urgency for defensive measures.

Potential Impact

For European organizations, the impact of CVE-2025-4855 can be severe. WordPress is widely used across Europe for websites ranging from small businesses to large enterprises and public sector entities. The Support Board plugin is commonly employed to provide customer support chat functionality, often handling sensitive customer data and internal communications. Exploitation of this vulnerability could lead to unauthorized data disclosure, modification, or deletion, compromising customer privacy and business operations. Additionally, attackers could leverage this vulnerability to pivot into other parts of the network or launch further attacks, including exploiting CVE-2025-4828. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Given the critical severity and unauthenticated remote exploitability, organizations face a high risk of compromise if the plugin is in use and unpatched.

Mitigation Recommendations

1. Immediate identification and inventory of WordPress instances using the Support Board plugin, especially versions up to 3.8.0. 2. Disable or remove the Support Board plugin until a secure patched version is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting sb_ajax_execute() endpoints, focusing on anomalous or unauthorized parameter values. 4. Monitor logs for unusual activity related to AJAX calls or unexpected data modifications within the plugin’s scope. 5. Restrict access to WordPress administrative interfaces and AJAX endpoints via IP whitelisting or VPN where feasible. 6. Prepare for rapid deployment of patches once available by subscribing to vendor advisories and CVE databases. 7. Conduct security awareness and incident response drills focused on web application compromise scenarios. 8. Review and tighten authorization logic in custom plugins or integrations to prevent similar authorization bypass issues.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-05-16T17:00:48.567Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686dac326f40f0eb72fc67b5

Added to database: 7/8/2025, 11:39:30 PM

Last enriched: 7/8/2025, 11:54:26 PM

Last updated: 7/9/2025, 10:08:05 AM

Views: 7

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats