CVE-2025-4855: CWE-639 Authorization Bypass Through User-Controlled Key in Schiocco Support Board
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
AI Analysis
Technical Summary
CVE-2025-4855 is a critical vulnerability affecting the Support Board plugin for WordPress, developed by Schiocco. This vulnerability arises from the use of hardcoded default secrets within the sb_encryption() function across all versions up to and including 3.8.0. The presence of these hardcoded secrets allows unauthenticated attackers to bypass authorization controls and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. Essentially, attackers can manipulate user-controlled keys to gain unauthorized access, enabling them to read, modify, or delete sensitive data managed by the plugin. Furthermore, this vulnerability facilitates exploitation of CVE-2025-4828 and potentially other related functions without requiring any authentication or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating a fundamental flaw in how authorization checks are implemented. The CVSS v3.1 score of 9.8 (critical) reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. No patches are currently linked, suggesting that mitigation or updates may not yet be available, increasing the urgency for defensive measures.
Potential Impact
For European organizations, the impact of CVE-2025-4855 can be severe. WordPress is widely used across Europe for websites ranging from small businesses to large enterprises and public sector entities. The Support Board plugin is commonly employed to provide customer support chat functionality, often handling sensitive customer data and internal communications. Exploitation of this vulnerability could lead to unauthorized data disclosure, modification, or deletion, compromising customer privacy and business operations. Additionally, attackers could leverage this vulnerability to pivot into other parts of the network or launch further attacks, including exploiting CVE-2025-4828. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Given the critical severity and unauthenticated remote exploitability, organizations face a high risk of compromise if the plugin is in use and unpatched.
Mitigation Recommendations
1. Immediate identification and inventory of WordPress instances using the Support Board plugin, especially versions up to 3.8.0. 2. Disable or remove the Support Board plugin until a secure patched version is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting sb_ajax_execute() endpoints, focusing on anomalous or unauthorized parameter values. 4. Monitor logs for unusual activity related to AJAX calls or unexpected data modifications within the plugin’s scope. 5. Restrict access to WordPress administrative interfaces and AJAX endpoints via IP whitelisting or VPN where feasible. 6. Prepare for rapid deployment of patches once available by subscribing to vendor advisories and CVE databases. 7. Conduct security awareness and incident response drills focused on web application compromise scenarios. 8. Review and tighten authorization logic in custom plugins or integrations to prevent similar authorization bypass issues.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-4855: CWE-639 Authorization Bypass Through User-Controlled Key in Schiocco Support Board
Description
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
AI-Powered Analysis
Technical Analysis
CVE-2025-4855 is a critical vulnerability affecting the Support Board plugin for WordPress, developed by Schiocco. This vulnerability arises from the use of hardcoded default secrets within the sb_encryption() function across all versions up to and including 3.8.0. The presence of these hardcoded secrets allows unauthenticated attackers to bypass authorization controls and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. Essentially, attackers can manipulate user-controlled keys to gain unauthorized access, enabling them to read, modify, or delete sensitive data managed by the plugin. Furthermore, this vulnerability facilitates exploitation of CVE-2025-4828 and potentially other related functions without requiring any authentication or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating a fundamental flaw in how authorization checks are implemented. The CVSS v3.1 score of 9.8 (critical) reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. No patches are currently linked, suggesting that mitigation or updates may not yet be available, increasing the urgency for defensive measures.
Potential Impact
For European organizations, the impact of CVE-2025-4855 can be severe. WordPress is widely used across Europe for websites ranging from small businesses to large enterprises and public sector entities. The Support Board plugin is commonly employed to provide customer support chat functionality, often handling sensitive customer data and internal communications. Exploitation of this vulnerability could lead to unauthorized data disclosure, modification, or deletion, compromising customer privacy and business operations. Additionally, attackers could leverage this vulnerability to pivot into other parts of the network or launch further attacks, including exploiting CVE-2025-4828. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Given the critical severity and unauthenticated remote exploitability, organizations face a high risk of compromise if the plugin is in use and unpatched.
Mitigation Recommendations
1. Immediate identification and inventory of WordPress instances using the Support Board plugin, especially versions up to 3.8.0. 2. Disable or remove the Support Board plugin until a secure patched version is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting sb_ajax_execute() endpoints, focusing on anomalous or unauthorized parameter values. 4. Monitor logs for unusual activity related to AJAX calls or unexpected data modifications within the plugin’s scope. 5. Restrict access to WordPress administrative interfaces and AJAX endpoints via IP whitelisting or VPN where feasible. 6. Prepare for rapid deployment of patches once available by subscribing to vendor advisories and CVE databases. 7. Conduct security awareness and incident response drills focused on web application compromise scenarios. 8. Review and tighten authorization logic in custom plugins or integrations to prevent similar authorization bypass issues.
Affected Countries
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-05-16T17:00:48.567Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686dac326f40f0eb72fc67b5
Added to database: 7/8/2025, 11:39:30 PM
Last enriched: 7/8/2025, 11:54:26 PM
Last updated: 1/7/2026, 4:20:00 AM
Views: 112
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-20893: Origin validation error in Fujitsu Client Computing Limited Fujitsu Security Solution AuthConductor Client Basic V2
HighCVE-2025-14891: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ivole Customer Reviews for WooCommerce
MediumCVE-2025-14059: CWE-73 External Control of File Name or Path in roxnor EmailKit – Email Customizer for WooCommerce & WP
MediumCVE-2025-12648: CWE-552 Files or Directories Accessible to External Parties in cbutlerjr WP-Members Membership Plugin
MediumCVE-2025-14631: CWE-476 NULL Pointer Dereference in TP-Link Systems Inc. Archer BE400
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.