Description
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
Published: 2025-07-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Authorization Bypass and arbitrary data modification via hardcoded secret key
Action: Immediate Patch
AI Analysis

Impact

The support board plugin for WordPress contains a function that uses a hardcoded default secret key in all releases up to 3.8.0. This flaw allows an attacker with no authentication to bypass authorization checks and invoke any AJAX operation defined in sb_ajax_execute(). Because these operations can read, modify, or delete plugin data, an unauthenticated user can potentially takeover the plugin’s data store and also trigger related vulnerabilities such as CVE-2025-4828.

Affected Systems

The affected product is the Support Board plugin developed by Schiocco, available for WordPress. All official releases numbered 3.8.0 and earlier are vulnerable. There is no other affected product listed.

Risk and Exploitability

The CVSS score of 9.8 reflects the high criticality of this flaw. The EPSS score of < 1% indicates that, although exploitation is unlikely to occur widely at present, the potential damage warrants immediate attention. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can exploit it by sending unauthenticated HTTP requests to the plugin’s AJAX endpoint, leveraging the hardcoded key to bypass authorization. No further prerequisites are stated, so the attack vector is inferred to be a simple web request to the improperly protected endpoint.

Generated by OpenCVE AI on April 20, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Support Board plugin to the latest release that removes the hardcoded default secret key.
  • If an immediate upgrade is not possible, disable or uninstall the plugin to eliminate the exposed AJAX handlers.
  • Deploy a web application firewall or modify the site’s access controls to block unauthenticated access to the plugin’s AJAX endpoints, and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 20, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20754 The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
History

Mon, 14 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Schiocco
Schiocco support Board
CPEs cpe:2.3:a:schiocco:support_board:*:*:*:*:*:wordpress:*:*
Vendors & Products Schiocco
Schiocco support Board

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00076}

 epss

{'score': 0.001}

Wed, 09 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 08 Jul 2025 23:30:00 +0000

Type Values Removed Values Added
Description The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
Title Support Board <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Schiocco Support Board
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:40.803Z

Reserved: 2025-05-16T17:00:48.567Z

Link: CVE-2025-4855

cve-icon Vulnrichment

Updated: 2025-07-09T13:14:55.489Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-09T00:15:47.243

Modified: 2025-07-14T15:10:54.030

Link: CVE-2025-4855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses