Description
Unauthenticated Privilege Escalation in Support Board < 3.8.9 versions.
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated privilege escalation in the WordPress Support Board plugin prior to version 3.8.9. The flaw allows an attacker without credentials to gain elevated privileges within the WordPress installation, potentially enabling full control over the site. The weakness stems from improper authorization checks, identified as CWE-266.

Affected Systems

This issue affects the Schiocco Support Board plugin for WordPress in all releases older than 3.8.9. Site administrators using these versions are at risk. The fix is to upgrade to version 3.8.9 or later, which removes the privilege escalation path.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalogue. Nonetheless, it can be triggered without authentication, making any WordPress site exposed to the internet a valid target. Successful exploitation would grant the attacker administrator privileges, enabling complete takeover of the WordPress site.

Generated by OpenCVE AI on June 17, 2026 at 18:17 UTC.

Remediation

Vendor Solution

Update the WordPress Support Board Plugin to the latest available version (at least 3.8.9).

OpenCVE Recommended Actions

  • Update the Support Board plugin to version 3.8.9 or later, removing the privilege escalation flaw.
  • If the plugin is not needed, disable or uninstall it entirely to eliminate exposure.
  • Review user roles and remove any unnecessary high‑privilege accounts or restrict capabilities to reduce the impact of a potential compromise.

Generated by OpenCVE AI on June 17, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Schiocco
Schiocco support Board
Wordpress
Wordpress wordpress
Vendors & Products Schiocco
Schiocco support Board
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Privilege Escalation in Support Board < 3.8.9 versions.
Title WordPress Support Board plugin < 3.8.9 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Schiocco Support Board
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:44:23.548Z

Reserved: 2026-02-19T09:52:03.313Z

Link: CVE-2026-27395

cve-icon Vulnrichment

Updated: 2026-06-17T10:44:19.021Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T02:15:03Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment