How to fix CVE-2025-5018?

Within 24 hours: Audit all WordPress user accounts with Subscriber access and above; review OpenAI API key access logs and rotate keys immediately if this plugin is active. Within 7 days: Disable the Hive Support plugin entirely until a patch is released, or implement strict capability checks via code modification and WAF rules to block unauthorized API calls. Within 30 days: Establish a vulnerability management process to monitor vendor patches and conduct a full security assessment of all WordPress plugins in use.

Is WordPress affected by CVE-2025-5018?

A critical vulnerability in the Hive Support WordPress plugin allows low-privilege users to steal OpenAI API keys and modify AI chatbot behavior, potentially exposing sensitive credentials and compromising customer interactions.

CVE-2025-5018

EUVD-2025-17076 HIGH

2025-06-06 [email protected]

WordPress Authentication Bypass

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17076

CVE Published

Jun 06, 2025 - 07:15 nvd

HIGH 7.1

DescriptionNVD

The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.

AnalysisAI

The Hive Support WordPress plugin (versions ≤1.2.4) contains missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions, allowing authenticated Subscriber-level users to read and modify sensitive data including OpenAI API keys, inspection data, and AI chat prompts. With a CVSS score of 7.1 and network-accessible attack vector requiring only user authentication, this vulnerability poses significant risk to WordPress installations using this plugin. The vulnerability may be a duplicate of CVE-2025-32208 or CVE-2025-32242, and patch status and active exploitation metrics are currently unknown.

Technical ContextAI

The Hive Support plugin for WordPress fails to implement proper authorization controls (CWE-862: Missing Authorization) on AJAX/REST endpoints or callback functions that handle sensitive plugin settings. The vulnerability affects two specific functions: hs_update_ai_chat_settings(), which manages OpenAI API configuration and AI behavior parameters, and hive_lite_support_get_all_binbox(), which retrieves inspection or support ticket data. WordPress plugins typically use capability checks via current_user_can() to restrict actions to administrators; the absence of these checks allows lower-privileged authenticated users (Subscriber role and above) to perform administrative actions. The affected component involves integration with OpenAI's API, making credential exposure a critical secondary impact. CPE data would identify: cpe:2.7:a:hive_support:hive_support:*:*:*:*:*:wordpress:*:* (versions up to 1.2.4).

RemediationAI

Update Hive Support plugin to version 1.2.5 or later (patch version not explicitly confirmed in description; verify with official WordPress plugin repository); priority: Critical; link: https://wordpress.org/plugins/hive-support/ (Official plugin page; check for patched version) Workaround (Temporary): Restrict Subscriber-level user creation and audit existing Subscriber accounts; limit plugin access via server-side restrictions or Web Application Firewall (WAF) rules blocking hs_update_ai_chat_settings and hive_lite_support_get_all_binbox calls from non-admin users; priority: High Immediate Mitigation: If patch unavailable: disable the Hive Support plugin entirely until patched; review OpenAI API key usage logs for unauthorized access; rotate OpenAI API keys immediately; audit chat prompt configuration for unauthorized modifications; priority: Critical Detection: Monitor WordPress logs/audit plugins for hs_update_ai_chat_settings and hive_lite_support_get_all_binbox function calls from non-admin user roles; monitor OpenAI API usage anomalies; check user_meta and plugin option tables for unauthorized modifications (post_date analysis)

CVE-2025-5018 vulnerability details – vuln.today

Back