Platform
wordpress
Component
support-board
Opgelost in
3.8.1
CVE-2025-4828 represents a critical vulnerability in the WordPress Support Board plugin, allowing for arbitrary file deletion. This flaw stems from insufficient file path validation within the sbfiledelete function. Successful exploitation can lead to remote code execution, particularly if critical configuration files like wp-config.php are targeted. The vulnerability impacts versions 0.0.0 through 3.8.0 of the plugin.
The primary impact of CVE-2025-4828 is the ability for an attacker to delete arbitrary files on the server hosting the WordPress site. This is a severe risk because the attacker doesn't need authentication to exploit this vulnerability, especially when chained with CVE-2025-4855. Deleting wp-config.php would effectively disable the WordPress site and potentially allow the attacker to gain control of the database and the server itself. The blast radius extends to any sensitive data stored within the WordPress installation, including user credentials, customer data, and potentially database backups. This vulnerability shares similarities with other file deletion vulnerabilities where the attacker can manipulate file paths to gain unauthorized access or control.
CVE-2025-4828 was publicly disclosed on 2025-07-08. It is known that CVE-2025-4855 can be chained with this vulnerability to achieve unauthenticated exploitation. There are currently no publicly available exploits, but the ease of exploitation makes it a high-priority vulnerability. The EPSS score is likely to be medium to high, given the unauthenticated nature of the vulnerability and the potential for RCE. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites using the Support Board plugin, particularly those with shared hosting environments or legacy configurations, are at significant risk. Sites with weak file permissions or inadequate security plugins are especially vulnerable. Any site relying on the Support Board plugin for file management or user support features should be considered at risk.
• wordpress / plugin: Use wp-cli plugin update --all to check for available updates.
• wordpress / plugin: Search plugin files for the sbfiledelete function and look for any instances of unsanitized user input being used in file path construction.
grep -r 'sb_file_delete' /var/www/wordpress/wp-content/plugins/support-board/• generic web: Monitor web server access logs for requests containing suspicious file paths or deletion attempts, especially those targeting files within the WordPress plugin directory. • generic web: Check WordPress plugin directory permissions to ensure they are restricted to the WordPress user account.
disclosure
Exploit Status
EPSS
2.84% (86% percentiel)
CISA SSVC
CVSS-vector
The immediate mitigation for CVE-2025-4828 is to upgrade the WordPress Support Board plugin to a version that addresses the vulnerability. Unfortunately, a fixed version is not yet available. As a workaround, restrict file upload permissions to the WordPress user account and implement strict file access controls on the server. Consider using a WordPress security plugin with file integrity monitoring capabilities to detect unauthorized file modifications. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious file paths or deletion attempts. After upgrading (or implementing workarounds), verify the plugin's functionality and file integrity by manually checking for any unexpected file deletions or modifications.
Werk de Support Board plugin bij naar de laatste beschikbare versie. Controleer de repository pagina van de plugin op WordPress.org of de website van de ontwikkelaar voor specifieke update instructies. Zorg ervoor dat u een volledige back-up van uw website maakt voordat u een update toepast.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-4828 is a critical vulnerability allowing attackers to delete arbitrary files on a WordPress server due to insufficient file path validation in the Support Board plugin, potentially leading to remote code execution.
You are affected if your WordPress site uses the Support Board plugin in versions 0.0.0 through 3.8.0. Upgrade immediately or apply workarounds.
Upgrade the Support Board plugin to a patched version. As no patch is available, implement workarounds like restricting file permissions and using a WAF.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests a high probability of active exploitation. Monitor security advisories.
Refer to the WordPress security announcements page and the plugin developer's website for updates and advisories related to CVE-2025-4828.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.