CVE-2025-5018 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Hive Support plugin for WordPress, which provides AI-powered help desk, live chat, and AI chatbot functionalities. The flaw exists because the plugin fails to perform proper capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions. This omission allows any authenticated user with Subscriber-level privileges or higher to access and modify sensitive configuration data, including the OpenAI API key used by the plugin and AI chat prompt settings. Since Subscribers typically have minimal permissions, this vulnerability effectively elevates their ability to manipulate critical plugin data without proper authorization. The vulnerability affects all versions up to and including 1.2.4. The CVSS v3.1 score is 7.1 (High), reflecting the network attack vector, low attack complexity, and the requirement for low privileges but no user interaction. The impact on confidentiality is high due to exposure of API keys and inspection data, while integrity impact is low because the attacker can only modify AI chat prompts and behavior, not core site data. Availability is unaffected. This vulnerability may be related or a duplicate of CVE-2025-32208 and CVE-2025-32242, indicating a recurring authorization issue in the plugin. No patches or exploits are currently publicly available, but the risk remains significant given the sensitive nature of the data exposed and the potential for misuse of AI chatbot behavior.

The primary impact of CVE-2025-5018 is unauthorized disclosure of sensitive information, notably the OpenAI API key, which could be leveraged by attackers to abuse the AI service, potentially incurring costs or extracting confidential data processed by the AI. Additionally, attackers can modify AI chat prompts and behavior, which could lead to misinformation, social engineering attacks, or reputational damage if the chatbot is used for customer support. Since the vulnerability requires only Subscriber-level access, it lowers the barrier for exploitation, increasing risk especially in environments with multiple users or weak user management. Organizations relying on this plugin for customer interaction and AI services may face data confidentiality breaches and manipulation of automated responses, undermining user trust and compliance with data protection regulations. Although availability is not impacted, the integrity and confidentiality concerns are significant enough to warrant urgent attention. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once the vulnerability becomes widely known.

1. Immediately restrict Subscriber-level user capabilities by auditing and minimizing the number of users with such access, especially in environments where the Hive Support plugin is installed. 2. Monitor and review user roles and permissions to ensure no unnecessary privilege escalation paths exist. 3. Until an official patch is released, consider disabling or uninstalling the Hive Support plugin if feasible, or isolate its usage to non-critical environments. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the vulnerable functions, focusing on POST requests to endpoints related to AI chat settings updates. 5. Conduct regular security audits and penetration tests focusing on WordPress plugins and their authorization mechanisms. 6. Once a patch is available, apply it promptly and verify that proper authorization checks are enforced in the affected functions. 7. Educate administrators and developers about the risks of missing authorization checks and the importance of secure coding practices in plugin development. 8. Monitor logs for unusual activity related to AI chat configuration changes or API key access.