Support Board Plugin Vulnerability - CVE-2025-4855 and CVE-2025-4828

Two critical vulnerabilities have recently been identified in the Support Board WordPress plugin, affecting all versions up to and including 3.8.0. Both issues are rated CVSS 9.8 (Critical) and pose serious risks for any site using this plugin.

1. Unauthenticated Arbitrary File Deletion (CVE-2025-4855)

A vulnerability in the sb_file_delete function allows unauthenticated attackers to delete any file on the server. Due to insufficient file path validation, this exploit can be used to remove critical files such as wp-config.php, potentially resulting in complete site takeover or remote code execution.

2. Unauthenticated Authorization Bypass via Default Secret Key (CVE-2025-4828)

The plugin’s use of hardcoded secret keys in the sb_encryption() function enables attackers to bypass normal authentication. This allows unauthenticated users to execute arbitrary AJAX actions via the vulnerable sb_ajax_execute() function—making it possible to modify or delete sensitive data and exploit additional internal vulnerabilities.

What This Means for Your Site

If you're running Support Board ≤ 3.8.0, your website may already be vulnerable to full compromise—even if no user is logged in. These flaws can be chained together for unauthenticated remote code execution, which is often used in malware deployments, SEO spam, or backdoor installations.

What Should You Do?

Immediately update the Support Board plugin to the latest version.

If you suspect compromise, audit your server logs and file integrity.

Ensure that wp-config.php, .htaccess, and similar critical files haven't been tampered with or deleted.

Consider installing a Web Application Firewall (WAF) and enabling file change monitoring.

Need Help?

If you're unsure whether your site is affected or think it might already be compromised, reach out via my contact page, and I'll help secure your site and assess the damage.