CVE-2025-5018: CWE-862 Missing Authorization in hivesupport Hive Support | AI-Powered Help Desk, Live Chat and Chatbot
The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
AI Analysis
Technical Summary
The Hive Support plugin for WordPress suffers from missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to 1.2.5. This authorization bypass allows authenticated users with low privileges (Subscriber-level and above) to read and overwrite sensitive configuration data such as the OpenAI API key and AI chat prompts. The vulnerability is categorized under CWE-862 (Missing Authorization) and has a CVSS 3.1 score of 7.1 (High), indicating network attack vector, low attack complexity, privileges required, no user interaction, with high confidentiality impact and low integrity impact.
Potential Impact
An attacker with Subscriber-level access can gain unauthorized read and write access to sensitive plugin data, including the OpenAI API key and AI chat configuration. This could lead to exposure of confidential credentials and manipulation of AI chatbot behavior, potentially undermining the integrity of AI-driven interactions. There is no reported impact on system availability. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to trusted individuals only and monitor for suspicious activity related to the Hive Support plugin. Avoid granting Subscriber-level or higher access to untrusted users. Review and rotate any exposed API keys if compromise is suspected.
CVE-2025-5018: CWE-862 Missing Authorization in hivesupport Hive Support | AI-Powered Help Desk, Live Chat and Chatbot
Description
The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Hive Support plugin for WordPress suffers from missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to 1.2.5. This authorization bypass allows authenticated users with low privileges (Subscriber-level and above) to read and overwrite sensitive configuration data such as the OpenAI API key and AI chat prompts. The vulnerability is categorized under CWE-862 (Missing Authorization) and has a CVSS 3.1 score of 7.1 (High), indicating network attack vector, low attack complexity, privileges required, no user interaction, with high confidentiality impact and low integrity impact.
Potential Impact
An attacker with Subscriber-level access can gain unauthorized read and write access to sensitive plugin data, including the OpenAI API key and AI chat configuration. This could lead to exposure of confidential credentials and manipulation of AI chatbot behavior, potentially undermining the integrity of AI-driven interactions. There is no reported impact on system availability. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to trusted individuals only and monitor for suspicious activity related to the Hive Support plugin. Avoid granting Subscriber-level or higher access to untrusted users. Review and rotate any exposed API keys if compromise is suspected.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-05-20T22:18:14.744Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68429199182aa0cae20492d2
Added to database: 6/6/2025, 6:58:33 AM
Last enriched: 4/9/2026, 5:31:09 PM
Last updated: 5/9/2026, 5:09:07 AM
Views: 89
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.