Description
The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
Published: 2025-06-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes and API key disclosure
Action: Immediate Patch
AI Analysis

Impact

Missing capability checks in Hive Support plugin allow authenticated users with Subscriber-level access and above to read or overwrite the site’s OpenAI API key, modify AI‑chat prompts, and alter inspection data. This can expose sensitive credentials and alter chatbot behavior, potentially leading to data exposure and unauthorized use of the OpenAI API.

Affected Systems

The vulnerability affects the Hive Support WordPress plugin, versions up to and including 1.2.5. All installations of this plugin on a WordPress site, regardless of thematic environment, are potentially impacted unless the plugin has been upgraded past v1.2.5.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of <1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user with Subscriber or higher permissions, likely via AJAX calls to the hs_update_ai_chat_settings and hive_lite_support_get_all_binbox endpoints. No remote code execution is reported, but the attacker can gain persistent access to the site’s OpenAI credentials and alter chatbot behavior.

Generated by OpenCVE AI on April 21, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hive Support plugin to the latest version (>=1.2.6)
  • If an upgrade cannot be performed immediately, rotate or delete the OpenAI API key to prevent its misuse
  • Restrict the Subscriber role’s capabilities or disable the affected AJAX endpoints until a patch is applied

Generated by OpenCVE AI on April 21, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17076 The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242. The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
Title Hive Support <= 1.2.4 - Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox Hive Support <= 1.2.5 - Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox
References

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
Title Hive Support <= 1.2.4 - Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:06.546Z

Reserved: 2025-05-20T22:18:14.744Z

Link: CVE-2025-5018

cve-icon Vulnrichment

Updated: 2025-06-06T15:42:58.430Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T07:15:27.970

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses