CVE-2025-5018 is a high-severity vulnerability affecting the Hive Support plugin for WordPress, which provides AI-powered help desk, live chat, and AI chatbot functionalities. The vulnerability arises from missing authorization checks in two key functions: hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox(). These functions lack proper capability verification, allowing any authenticated user with Subscriber-level privileges or higher to access and modify sensitive plugin data. Specifically, attackers can read and overwrite the site's OpenAI API key, inspection data, and alter AI chat prompts and behavior. This unauthorized access can lead to misuse of the OpenAI API key, potentially incurring financial costs or enabling further attacks through manipulated AI responses. The vulnerability is present in all versions up to and including 1.2.4 and may overlap with previously reported CVEs 2025-32208 and 2025-32242. The CVSS 3.1 base score is 7.1, reflecting network exploitability with low attack complexity, requiring only low privileges and no user interaction, impacting confidentiality highly, integrity to a lesser extent, and no availability impact. No known exploits are reported in the wild yet. The root cause is CWE-862 (Missing Authorization), indicating a failure to enforce proper access controls on sensitive operations within the plugin.

For European organizations using WordPress sites with the Hive Support plugin, this vulnerability poses significant risks. Unauthorized access to the OpenAI API key can lead to abuse of AI services, resulting in unexpected costs and potential data leakage if the API key is used to access or generate sensitive information. Manipulation of AI chat prompts and behavior can degrade customer service quality, mislead users, or facilitate social engineering attacks. Confidentiality is the primary concern, as attackers can extract sensitive configuration data. Integrity is also affected since attackers can alter AI chatbot behavior, potentially causing misinformation or reputational damage. The vulnerability does not directly impact availability but can indirectly affect service reliability and trust. Organizations in sectors relying heavily on customer interaction and AI-driven support, such as e-commerce, finance, and public services, may face operational and reputational consequences if exploited.

To mitigate this vulnerability, organizations should immediately update the Hive Support plugin to a patched version once available. In the absence of an official patch, administrators should implement manual access controls by restricting Subscriber-level users from accessing or triggering the vulnerable functions, possibly through custom WordPress role modifications or capability restrictions. Monitoring and auditing plugin usage logs for unusual access patterns to AI chat settings and API keys is recommended. Additionally, rotating the OpenAI API key after patching or applying mitigations will prevent misuse of compromised credentials. Employing Web Application Firewalls (WAFs) with rules to detect and block unauthorized API calls to these functions can provide temporary protection. Finally, organizations should review user roles and minimize the number of users with Subscriber or higher privileges to reduce attack surface.