CVE-2025-4828Path Traversal in Support Board

CWE-22Path Traversal3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
3.4%
top 12.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Schiocco Support Board
Timeline
PublishedJul 9

Description

The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5schiocco/support_board3.8.0

🔴Vulnerability Details

2
GHSA
GHSA-qq5f-j4wf-xqm8: The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete functio2025-07-09
CVEList
Support Board <= 3.8.0 - Unauthenticated Arbitrary File Deletion2025-07-08
CVE-2025-4828 — Path Traversal in Support Board | cvebase