Vulnerability Description
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schiocco | Support Board | < 3.8.1 |
Related Weaknesses (CWE)
References
- https://codecanyon.net/item/support-board-help-desk-and-chat/20359943Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/afd48bc8-d490-4a3e-97fThird Party Advisory
FAQ
What is CVE-2025-4855?
CVE-2025-4855 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to,...
How severe is CVE-2025-4855?
CVE-2025-4855 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-4855?
Check the references section above for vendor advisories and patch information. Affected products include: Schiocco Support Board.