Platform
wordpress
Component
support-board
Fixed in
3.8.1
CVE-2025-4828 represents a critical vulnerability in the WordPress Support Board plugin, allowing for arbitrary file deletion. This flaw stems from insufficient file path validation within the sbfiledelete function. Successful exploitation can lead to remote code execution, particularly if critical configuration files like wp-config.php are targeted. The vulnerability impacts versions 0.0.0 through 3.8.0 of the plugin.
The primary impact of CVE-2025-4828 is the ability for an attacker to delete arbitrary files on the server hosting the WordPress site. This is a severe risk because the attacker doesn't need authentication to exploit this vulnerability, especially when chained with CVE-2025-4855. Deleting wp-config.php would effectively disable the WordPress site and potentially allow the attacker to gain control of the database and the server itself. The blast radius extends to any sensitive data stored within the WordPress installation, including user credentials, customer data, and potentially database backups. This vulnerability shares similarities with other file deletion vulnerabilities where the attacker can manipulate file paths to gain unauthorized access or control.
CVE-2025-4828 was publicly disclosed on 2025-07-08. It is known that CVE-2025-4855 can be chained with this vulnerability to achieve unauthenticated exploitation. There are currently no publicly available exploits, but the ease of exploitation makes it a high-priority vulnerability. The EPSS score is likely to be medium to high, given the unauthenticated nature of the vulnerability and the potential for RCE. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
2.84% (86% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-4828 is to upgrade the WordPress Support Board plugin to a version that addresses the vulnerability. Unfortunately, a fixed version is not yet available. As a workaround, restrict file upload permissions to the WordPress user account and implement strict file access controls on the server. Consider using a WordPress security plugin with file integrity monitoring capabilities to detect unauthorized file modifications. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious file paths or deletion attempts. After upgrading (or implementing workarounds), verify the plugin's functionality and file integrity by manually checking for any unexpected file deletions or modifications.
Update the Support Board plugin to the latest available version. Verify the plugin repository page on WordPress.org or the developer's website for specific upgrade instructions. Ensure you perform a full backup of your website before applying any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-4828 is a critical vulnerability allowing attackers to delete arbitrary files on a WordPress server due to insufficient file path validation in the Support Board plugin, potentially leading to remote code execution.
You are affected if your WordPress site uses the Support Board plugin in versions 0.0.0 through 3.8.0. Upgrade immediately or apply workarounds.
Upgrade the Support Board plugin to a patched version. As no patch is available, implement workarounds like restricting file permissions and using a WAF.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests a high probability of active exploitation. Monitor security advisories.
Refer to the WordPress security announcements page and the plugin developer's website for updates and advisories related to CVE-2025-4828.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.