CVE-2025-4855 is a critical vulnerability affecting the Support Board plugin for WordPress, developed by Schiocco. This vulnerability arises from the use of hardcoded default secrets within the sb_encryption() function across all versions up to and including 3.8.0. The presence of these hardcoded secrets allows unauthenticated attackers to bypass authorization controls and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. Essentially, attackers can manipulate user-controlled keys to gain unauthorized access, enabling them to read, modify, or delete sensitive data managed by the plugin. Furthermore, this vulnerability facilitates exploitation of CVE-2025-4828 and potentially other related functions without requiring any authentication or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating a fundamental flaw in how authorization checks are implemented. The CVSS v3.1 score of 9.8 (critical) reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. No patches are currently linked, suggesting that mitigation or updates may not yet be available, increasing the urgency for defensive measures.

For European organizations, the impact of CVE-2025-4855 can be severe. WordPress is widely used across Europe for websites ranging from small businesses to large enterprises and public sector entities. The Support Board plugin is commonly employed to provide customer support chat functionality, often handling sensitive customer data and internal communications. Exploitation of this vulnerability could lead to unauthorized data disclosure, modification, or deletion, compromising customer privacy and business operations. Additionally, attackers could leverage this vulnerability to pivot into other parts of the network or launch further attacks, including exploiting CVE-2025-4828. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Given the critical severity and unauthenticated remote exploitability, organizations face a high risk of compromise if the plugin is in use and unpatched.

1. Immediate identification and inventory of WordPress instances using the Support Board plugin, especially versions up to 3.8.0. 2. Disable or remove the Support Board plugin until a secure patched version is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting sb_ajax_execute() endpoints, focusing on anomalous or unauthorized parameter values. 4. Monitor logs for unusual activity related to AJAX calls or unexpected data modifications within the plugin’s scope. 5. Restrict access to WordPress administrative interfaces and AJAX endpoints via IP whitelisting or VPN where feasible. 6. Prepare for rapid deployment of patches once available by subscribing to vendor advisories and CVE databases. 7. Conduct security awareness and incident response drills focused on web application compromise scenarios. 8. Review and tighten authorization logic in custom plugins or integrations to prevent similar authorization bypass issues.