Skip to main content

Support Board

4 CVEs product

Monthly

CVE-2026-27395 CRITICAL PATCH Act Now

Unauthenticated privilege escalation in the Support Board WordPress plugin (versions prior to 3.8.9) allows remote attackers with no credentials to elevate privileges on affected WordPress sites. The flaw was reported by Patchstack and is tied to CWE-266 (Incorrect Privilege Assignment), with a critical CVSS 3.1 base score of 9.8 reflecting network-reachable, low-complexity exploitation. No public exploit identified at time of analysis, but the unauthenticated nature and plugin's customer-support role make this a high-priority patch for any WordPress site running it.

Privilege Escalation Support Board
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-4855 CRITICAL Act Now

The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.

WordPress Authentication Bypass Support Board PHP
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-4828 CRITICAL Act Now

The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.

RCE PHP WordPress Path Traversal Support Board
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2021-24807 MEDIUM POC This Month

The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Support Board
NVD GitHub WPScan
CVSS 3.1
5.4
EPSS
1.4%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated privilege escalation in the Support Board WordPress plugin (versions prior to 3.8.9) allows remote attackers with no credentials to elevate privileges on affected WordPress sites. The flaw was reported by Patchstack and is tied to CWE-266 (Incorrect Privilege Assignment), with a critical CVSS 3.1 base score of 9.8 reflecting network-reachable, low-complexity exploitation. No public exploit identified at time of analysis, but the unauthenticated nature and plugin's customer-support role make this a high-priority patch for any WordPress site running it.

Privilege Escalation Support Board
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.

WordPress Authentication Bypass Support Board +1
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.

RCE PHP WordPress +2
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Support Board
NVD GitHub WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy