CVE-2025-5018: 
WordPress vulnerability analysis and mitigation

The Hive Support plugin for WordPress contains a missing capability check vulnerability (CVE-2025-5018) discovered in all versions up to and including 1.2.4, disclosed on June 6, 2025. The vulnerability affects the hsupdateaichatsettings() and hivelitesupportgetall_binbox() functions, allowing authenticated users with Subscriber-level access or higher to access and modify sensitive data (NVD, Wiz).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 7.1 (HIGH), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. The security flaw stems from insufficient authorization checks in two key functions within the plugin (NVD, Wiz).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to read and overwrite the site's OpenAI API key and inspection data. Additionally, attackers can modify AI-chat prompts and behavior, potentially compromising the security and functionality of the AI chat system (NVD).

The plugin has been temporarily closed as of June 4, 2025, pending a full security review. Users are advised to disable the plugin until a patched version is released (WordPress Plugin).

The WordPress community has responded positively to the quick action taken by the plugin developers in temporarily closing the plugin for security review. This proactive approach to security has been noted in user reviews and community discussions (WordPress Plugin).