vulnerability

WordPress Plugin: hive-support: CVE-2025-5018: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:S/C:C/I:P/A:N)	Jun 5, 2025	Jul 28, 2025	Jul 28, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:P/A:N)

Published

Jun 5, 2025

Added

Jul 28, 2025

Modified

Jul 28, 2025

Description

The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.

Solution

hive-support-plugin-cve-2025-5018

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today