CVE-2025-4855 — Authorization Bypass Through User-Controlled Key in Support Board

CWE-639 — Authorization Bypass Through User-Controlled Key CWE-416 — Use After Free4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 37.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schiocco Support Board

Timeline

PublishedJul 9

Description

The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDschiocco/support_board< 3.8.1

▶CVEListV5schiocco/support_board3.8.0

🔴Vulnerability Details

GHSA

GHSA-vv4w-9vmx-jmwp: The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in t↗2025-07-09

▶

CVEList

Support Board <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key↗2025-07-08

▶

📋Vendor Advisories

Microsoft

Use After Free in editcap↗2024-05-14

▶