Skip to main content

CVE-2025-5018: CWE-862 Missing Authorization in hivesupport Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

High
VulnerabilityCVE-2025-5018cvecve-2025-5018cwe-862
Published: Fri Jun 06 2025 (06/06/2025, 06:42:51 UTC)
Source: CVE Database V5
Vendor/Project: hivesupport
Product: Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Description

The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.

AI-Powered Analysis

AILast updated: 07/07/2025, 17:41:55 UTC

Technical Analysis

CVE-2025-5018 is a high-severity vulnerability affecting the Hive Support plugin for WordPress, which provides AI-powered help desk, live chat, and AI chatbot functionalities. The vulnerability arises from missing authorization checks in two key functions: hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox(). These functions lack proper capability verification, allowing any authenticated user with Subscriber-level privileges or higher to access and modify sensitive plugin data. Specifically, attackers can read and overwrite the site's OpenAI API key, inspection data, and alter AI chat prompts and behavior. This unauthorized access can lead to misuse of the OpenAI API key, potentially incurring financial costs or enabling further attacks through manipulated AI responses. The vulnerability is present in all versions up to and including 1.2.4 and may overlap with previously reported CVEs 2025-32208 and 2025-32242. The CVSS 3.1 base score is 7.1, reflecting network exploitability with low attack complexity, requiring only low privileges and no user interaction, impacting confidentiality highly, integrity to a lesser extent, and no availability impact. No known exploits are reported in the wild yet. The root cause is CWE-862 (Missing Authorization), indicating a failure to enforce proper access controls on sensitive operations within the plugin.

Potential Impact

For European organizations using WordPress sites with the Hive Support plugin, this vulnerability poses significant risks. Unauthorized access to the OpenAI API key can lead to abuse of AI services, resulting in unexpected costs and potential data leakage if the API key is used to access or generate sensitive information. Manipulation of AI chat prompts and behavior can degrade customer service quality, mislead users, or facilitate social engineering attacks. Confidentiality is the primary concern, as attackers can extract sensitive configuration data. Integrity is also affected since attackers can alter AI chatbot behavior, potentially causing misinformation or reputational damage. The vulnerability does not directly impact availability but can indirectly affect service reliability and trust. Organizations in sectors relying heavily on customer interaction and AI-driven support, such as e-commerce, finance, and public services, may face operational and reputational consequences if exploited.

Mitigation Recommendations

To mitigate this vulnerability, organizations should immediately update the Hive Support plugin to a patched version once available. In the absence of an official patch, administrators should implement manual access controls by restricting Subscriber-level users from accessing or triggering the vulnerable functions, possibly through custom WordPress role modifications or capability restrictions. Monitoring and auditing plugin usage logs for unusual access patterns to AI chat settings and API keys is recommended. Additionally, rotating the OpenAI API key after patching or applying mitigations will prevent misuse of compromised credentials. Employing Web Application Firewalls (WAFs) with rules to detect and block unauthorized API calls to these functions can provide temporary protection. Finally, organizations should review user roles and minimize the number of users with Subscriber or higher privileges to reduce attack surface.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-05-20T22:18:14.744Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68429199182aa0cae20492d2

Added to database: 6/6/2025, 6:58:33 AM

Last enriched: 7/7/2025, 5:41:55 PM

Last updated: 7/31/2025, 8:27:58 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats