CVE-2025-4828: Arbitrary File Access in WordPress Support Board
Platform
wordpress
Component
support-board
Fixed in
3.8.1
CVE-2025-4828 represents a critical vulnerability in the WordPress Support Board plugin, allowing for arbitrary file deletion. This flaw stems from insufficient file path validation within the sbfiledelete function. Successful exploitation can lead to remote code execution, particularly if critical configuration files like wp-config.php are targeted. The vulnerability impacts versions 0.0.0 through 3.8.0 of the plugin.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The primary impact of CVE-2025-4828 is the ability for an attacker to delete arbitrary files on the server hosting the WordPress site. This is a severe risk because the attacker doesn't need authentication to exploit this vulnerability, especially when chained with CVE-2025-4855. Deleting wp-config.php would effectively disable the WordPress site and potentially allow the attacker to gain control of the database and the server itself. The blast radius extends to any sensitive data stored within the WordPress installation, including user credentials, customer data, and potentially database backups. This vulnerability shares similarities with other file deletion vulnerabilities where the attacker can manipulate file paths to gain unauthorized access or control.
Exploitation Context
CVE-2025-4828 was publicly disclosed on 2025-07-08. It is known that CVE-2025-4855 can be chained with this vulnerability to achieve unauthenticated exploitation. There are currently no publicly available exploits, but the ease of exploitation makes it a high-priority vulnerability. The EPSS score is likely to be medium to high, given the unauthenticated nature of the vulnerability and the potential for RCE. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Threat Intelligence
Exploit Status
EPSS
2.84% (86% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The immediate mitigation for CVE-2025-4828 is to upgrade the WordPress Support Board plugin to a version that addresses the vulnerability. Unfortunately, a fixed version is not yet available. As a workaround, restrict file upload permissions to the WordPress user account and implement strict file access controls on the server. Consider using a WordPress security plugin with file integrity monitoring capabilities to detect unauthorized file modifications. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious file paths or deletion attempts. After upgrading (or implementing workarounds), verify the plugin's functionality and file integrity by manually checking for any unexpected file deletions or modifications.
How to fix
Update the Support Board plugin to the latest available version. Verify the plugin repository page on WordPress.org or the developer's website for specific upgrade instructions. Ensure you perform a full backup of your website before applying any updates.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-4828 — Arbitrary File Access in WordPress Support Board?
CVE-2025-4828 is a critical vulnerability allowing attackers to delete arbitrary files on a WordPress server due to insufficient file path validation in the Support Board plugin, potentially leading to remote code execution.
Am I affected by CVE-2025-4828 in WordPress Support Board?
You are affected if your WordPress site uses the Support Board plugin in versions 0.0.0 through 3.8.0. Upgrade immediately or apply workarounds.
How do I fix CVE-2025-4828 in WordPress Support Board?
Upgrade the Support Board plugin to a patched version. As no patch is available, implement workarounds like restricting file permissions and using a WAF.
Is CVE-2025-4828 being actively exploited?
While no public exploits are currently available, the vulnerability's ease of exploitation suggests a high probability of active exploitation. Monitor security advisories.
Where can I find the official WordPress advisory for CVE-2025-4828?
Refer to the WordPress security announcements page and the plugin developer's website for updates and advisories related to CVE-2025-4828.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.