CVE-2025-5018: 
WordPress vulnerability analysis and mitigation

The Hive Support plugin for WordPress contains a missing capability check vulnerability (CVE-2025-5018) discovered in all versions up to and including 1.2.4. The vulnerability was disclosed on June 6, 2025, and affects the hsupdateaichatsettings() and hivelitesupportgetall_binbox() functions (NVD).

The vulnerability stems from insufficient authorization checks in two key functions: hsupdateaichatsettings() and hivelitesupportgetall_binbox(). This security flaw is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 7.1 (HIGH), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. The vulnerability can be exploited remotely through network access, requires low attack complexity, and needs only low-level privileges to execute (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to read and overwrite the site's OpenAI API key and inspection data. Additionally, attackers can modify AI-chat prompts and behavior, potentially compromising the security and functionality of the AI chat system (NVD).

The plugin has been temporarily closed as of June 4, 2025, pending a full security review. Users are advised to disable the plugin until a patched version is released (WordPress Plugin).