CVE-2025-5018: CWE-862 Missing Authorization in hivesupport Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress
The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
AI Analysis
Technical Summary
CVE-2025-5018 is a high-severity vulnerability affecting the Hive Support plugin for WordPress, which provides AI-powered help desk, live chat, and AI chatbot functionalities. The vulnerability arises from missing authorization checks in two key functions: hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox(). These functions lack proper capability verification, allowing any authenticated user with Subscriber-level privileges or higher to access and modify sensitive plugin data. Specifically, attackers can read and overwrite the site's OpenAI API key, inspection data, and alter AI chat prompts and behavior. This unauthorized access can lead to misuse of the OpenAI API key, potentially incurring financial costs or enabling further attacks through manipulated AI responses. The vulnerability is present in all versions up to and including 1.2.4 and may overlap with previously reported CVEs 2025-32208 and 2025-32242. The CVSS 3.1 base score is 7.1, reflecting network exploitability with low attack complexity, requiring only low privileges and no user interaction, impacting confidentiality highly, integrity to a lesser extent, and no availability impact. No known exploits are reported in the wild yet. The root cause is CWE-862 (Missing Authorization), indicating a failure to enforce proper access controls on sensitive operations within the plugin.
Potential Impact
For European organizations using WordPress sites with the Hive Support plugin, this vulnerability poses significant risks. Unauthorized access to the OpenAI API key can lead to abuse of AI services, resulting in unexpected costs and potential data leakage if the API key is used to access or generate sensitive information. Manipulation of AI chat prompts and behavior can degrade customer service quality, mislead users, or facilitate social engineering attacks. Confidentiality is the primary concern, as attackers can extract sensitive configuration data. Integrity is also affected since attackers can alter AI chatbot behavior, potentially causing misinformation or reputational damage. The vulnerability does not directly impact availability but can indirectly affect service reliability and trust. Organizations in sectors relying heavily on customer interaction and AI-driven support, such as e-commerce, finance, and public services, may face operational and reputational consequences if exploited.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately update the Hive Support plugin to a patched version once available. In the absence of an official patch, administrators should implement manual access controls by restricting Subscriber-level users from accessing or triggering the vulnerable functions, possibly through custom WordPress role modifications or capability restrictions. Monitoring and auditing plugin usage logs for unusual access patterns to AI chat settings and API keys is recommended. Additionally, rotating the OpenAI API key after patching or applying mitigations will prevent misuse of compromised credentials. Employing Web Application Firewalls (WAFs) with rules to detect and block unauthorized API calls to these functions can provide temporary protection. Finally, organizations should review user roles and minimize the number of users with Subscriber or higher privileges to reduce attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-5018: CWE-862 Missing Authorization in hivesupport Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress
Description
The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
AI-Powered Analysis
Technical Analysis
CVE-2025-5018 is a high-severity vulnerability affecting the Hive Support plugin for WordPress, which provides AI-powered help desk, live chat, and AI chatbot functionalities. The vulnerability arises from missing authorization checks in two key functions: hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox(). These functions lack proper capability verification, allowing any authenticated user with Subscriber-level privileges or higher to access and modify sensitive plugin data. Specifically, attackers can read and overwrite the site's OpenAI API key, inspection data, and alter AI chat prompts and behavior. This unauthorized access can lead to misuse of the OpenAI API key, potentially incurring financial costs or enabling further attacks through manipulated AI responses. The vulnerability is present in all versions up to and including 1.2.4 and may overlap with previously reported CVEs 2025-32208 and 2025-32242. The CVSS 3.1 base score is 7.1, reflecting network exploitability with low attack complexity, requiring only low privileges and no user interaction, impacting confidentiality highly, integrity to a lesser extent, and no availability impact. No known exploits are reported in the wild yet. The root cause is CWE-862 (Missing Authorization), indicating a failure to enforce proper access controls on sensitive operations within the plugin.
Potential Impact
For European organizations using WordPress sites with the Hive Support plugin, this vulnerability poses significant risks. Unauthorized access to the OpenAI API key can lead to abuse of AI services, resulting in unexpected costs and potential data leakage if the API key is used to access or generate sensitive information. Manipulation of AI chat prompts and behavior can degrade customer service quality, mislead users, or facilitate social engineering attacks. Confidentiality is the primary concern, as attackers can extract sensitive configuration data. Integrity is also affected since attackers can alter AI chatbot behavior, potentially causing misinformation or reputational damage. The vulnerability does not directly impact availability but can indirectly affect service reliability and trust. Organizations in sectors relying heavily on customer interaction and AI-driven support, such as e-commerce, finance, and public services, may face operational and reputational consequences if exploited.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately update the Hive Support plugin to a patched version once available. In the absence of an official patch, administrators should implement manual access controls by restricting Subscriber-level users from accessing or triggering the vulnerable functions, possibly through custom WordPress role modifications or capability restrictions. Monitoring and auditing plugin usage logs for unusual access patterns to AI chat settings and API keys is recommended. Additionally, rotating the OpenAI API key after patching or applying mitigations will prevent misuse of compromised credentials. Employing Web Application Firewalls (WAFs) with rules to detect and block unauthorized API calls to these functions can provide temporary protection. Finally, organizations should review user roles and minimize the number of users with Subscriber or higher privileges to reduce attack surface.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-05-20T22:18:14.744Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68429199182aa0cae20492d2
Added to database: 6/6/2025, 6:58:33 AM
Last enriched: 7/7/2025, 5:41:55 PM
Last updated: 7/31/2025, 8:27:58 PM
Views: 13
Related Threats
CVE-2025-8842: Use After Free in NASM Netwide Assember
MediumResearchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation
HighCVE-2025-8841: Unrestricted Upload in zlt2000 microservices-platform
MediumCVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.