CVE-2025-4855: CWE-639 Authorization Bypass Through User-Controlled Key in Schiocco Support Board
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
AI Analysis
Technical Summary
CVE-2025-4855 is a critical vulnerability affecting the Support Board plugin for WordPress, developed by Schiocco. This vulnerability arises from the use of hardcoded default secrets within the sb_encryption() function across all versions up to and including 3.8.0. The presence of these hardcoded secrets allows unauthenticated attackers to bypass authorization controls and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. Essentially, attackers can manipulate user-controlled keys to gain unauthorized access, enabling them to read, modify, or delete sensitive data managed by the plugin. Furthermore, this vulnerability facilitates exploitation of CVE-2025-4828 and potentially other related functions without requiring any authentication or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating a fundamental flaw in how authorization checks are implemented. The CVSS v3.1 score of 9.8 (critical) reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. No patches are currently linked, suggesting that mitigation or updates may not yet be available, increasing the urgency for defensive measures.
Potential Impact
For European organizations, the impact of CVE-2025-4855 can be severe. WordPress is widely used across Europe for websites ranging from small businesses to large enterprises and public sector entities. The Support Board plugin is commonly employed to provide customer support chat functionality, often handling sensitive customer data and internal communications. Exploitation of this vulnerability could lead to unauthorized data disclosure, modification, or deletion, compromising customer privacy and business operations. Additionally, attackers could leverage this vulnerability to pivot into other parts of the network or launch further attacks, including exploiting CVE-2025-4828. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Given the critical severity and unauthenticated remote exploitability, organizations face a high risk of compromise if the plugin is in use and unpatched.
Mitigation Recommendations
1. Immediate identification and inventory of WordPress instances using the Support Board plugin, especially versions up to 3.8.0. 2. Disable or remove the Support Board plugin until a secure patched version is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting sb_ajax_execute() endpoints, focusing on anomalous or unauthorized parameter values. 4. Monitor logs for unusual activity related to AJAX calls or unexpected data modifications within the plugin’s scope. 5. Restrict access to WordPress administrative interfaces and AJAX endpoints via IP whitelisting or VPN where feasible. 6. Prepare for rapid deployment of patches once available by subscribing to vendor advisories and CVE databases. 7. Conduct security awareness and incident response drills focused on web application compromise scenarios. 8. Review and tighten authorization logic in custom plugins or integrations to prevent similar authorization bypass issues.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-4855: CWE-639 Authorization Bypass Through User-Controlled Key in Schiocco Support Board
Description
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
AI-Powered Analysis
Technical Analysis
CVE-2025-4855 is a critical vulnerability affecting the Support Board plugin for WordPress, developed by Schiocco. This vulnerability arises from the use of hardcoded default secrets within the sb_encryption() function across all versions up to and including 3.8.0. The presence of these hardcoded secrets allows unauthenticated attackers to bypass authorization controls and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. Essentially, attackers can manipulate user-controlled keys to gain unauthorized access, enabling them to read, modify, or delete sensitive data managed by the plugin. Furthermore, this vulnerability facilitates exploitation of CVE-2025-4828 and potentially other related functions without requiring any authentication or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating a fundamental flaw in how authorization checks are implemented. The CVSS v3.1 score of 9.8 (critical) reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. No patches are currently linked, suggesting that mitigation or updates may not yet be available, increasing the urgency for defensive measures.
Potential Impact
For European organizations, the impact of CVE-2025-4855 can be severe. WordPress is widely used across Europe for websites ranging from small businesses to large enterprises and public sector entities. The Support Board plugin is commonly employed to provide customer support chat functionality, often handling sensitive customer data and internal communications. Exploitation of this vulnerability could lead to unauthorized data disclosure, modification, or deletion, compromising customer privacy and business operations. Additionally, attackers could leverage this vulnerability to pivot into other parts of the network or launch further attacks, including exploiting CVE-2025-4828. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Given the critical severity and unauthenticated remote exploitability, organizations face a high risk of compromise if the plugin is in use and unpatched.
Mitigation Recommendations
1. Immediate identification and inventory of WordPress instances using the Support Board plugin, especially versions up to 3.8.0. 2. Disable or remove the Support Board plugin until a secure patched version is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting sb_ajax_execute() endpoints, focusing on anomalous or unauthorized parameter values. 4. Monitor logs for unusual activity related to AJAX calls or unexpected data modifications within the plugin’s scope. 5. Restrict access to WordPress administrative interfaces and AJAX endpoints via IP whitelisting or VPN where feasible. 6. Prepare for rapid deployment of patches once available by subscribing to vendor advisories and CVE databases. 7. Conduct security awareness and incident response drills focused on web application compromise scenarios. 8. Review and tighten authorization logic in custom plugins or integrations to prevent similar authorization bypass issues.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-05-16T17:00:48.567Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686dac326f40f0eb72fc67b5
Added to database: 7/8/2025, 11:39:30 PM
Last enriched: 7/8/2025, 11:54:26 PM
Last updated: 7/9/2025, 10:08:05 AM
Views: 7
Related Threats
CVE-2025-3499: CWE-78: Improper Neutralization of Special Elements used in an OS Command (’OS Command Injection’) in Radiflow iSAP Smart Collector
CriticalCVE-2025-3498: CWE-306: Missing Authentication for Critical Function in Radiflow iSAP Smart Collector
CriticalCVE-2025-27028: CWE-266: Incorrect Privilege Assignment in Radiflow iSAP Smart Collector
MediumCVE-2025-27027: CWE-653 Improper Isolation or Compartmentalization in Radiflow iSAP Smart Collector
MediumCVE-2025-7379: CWE-352 Cross-Site Request Forgery (CSRF) in ASUSTOR ADM
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.