Schiocco Support Board vulnerabilities

CVE-2026-4815 [HIGH] CWE-89 CVE-2026-4815: A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an a A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '/supportboard/include/ajax.php' endpoint.

CVE-2026-4816 [MEDIUM] CWE-79 CVE-2026-4816: A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vu A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data

CVE-2025-60182 [HIGH] CWE-79 CVE-2025-60182: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Schiocco Support Board supportboard allows Reflected XSS.This issue affects Support Board: from n/a through < 3.8.7.

CVE-2025-54031 CWE-98 CVE-2025-54031: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Schiocco Support Board supportboard allows PHP Local File Inclusion.This issue affects Support Board: from n/a through <= 3.8.0.

CVE-2025-54027 CWE-79 CVE-2025-54027: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Schiocco Support Board supportboard allows Reflected XSS.This issue affects Support Board: from n/a through <= 3.8.0.

CVE-2025-4828 [CRITICAL] CWE-22 CVE-2025-4828: The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted

CVE-2025-4855 [CRITICAL] CVE-2025-4855: The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_e

CVE-2021-24823 [HIGH] CWE-352 CVE-2021-24823: The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files

CVE-2021-24807 [MEDIUM] CWE-79 CVE-2021-24807: The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed.