CVE-2025-4855: 
WordPress vulnerability analysis and mitigation

The Support Board plugin for WordPress (CVE-2025-4855) contains a critical vulnerability related to unauthorized access, modification, and deletion of data. The vulnerability was discovered and disclosed on July 8, 2025, affecting all versions up to and including 3.8.0. The issue stems from hardcoded default secrets in the sb_encryption() function, which allows unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions through the sb_ajax_execute() function (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD CVE, Wordfence Advisory).

The vulnerability enables unauthorized access, modification, and deletion of data within the WordPress installation. Additionally, it can be used as a stepping stone to exploit CVE-2025-4828, which allows arbitrary file deletion on the server and potentially leads to remote code execution through deletion of critical files like wp-config.php (NVD CVE).

Users should upgrade to version 3.8.1 or later of the Support Board plugin to address this vulnerability. The fix involves removing the hardcoded default secrets from the sb_encryption() function (NVD CVE).