What the vulnerability does
01Description
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
Explanation of Vulnerability in Simple Terms
02Summary
Support Board versions 3.8.0 and earlier contain a critical vulnerability that allows unauthenticated attackers to read sensitive data, modify content, or disrupt service over the network without user interaction. The vulnerability stems from insufficient authorization controls. All installations should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify content, or disrupt the service without logging in.
Potential impact on your site
04Site Impact
Attackers can access private information, alter support tickets or settings, or take the support board offline.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
July 8, 2025
CVE published
April 8, 2026
Record updated