CVE-2025-4855

Name of the Vulnerable Software and Affected Versions: The Support Board plugin for WordPress versions up to, and including, 3.8.0

Description: The issue allows unauthorized access, modification, or deletion of data due to the use of hardcoded default secrets in the sb encryption() function. This enables unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb ajax execute() function.

Recommendations: For versions up to, and including, 3.8.0, update to a version that fixes the hardcoded default secrets issue in the sb encryption() function to prevent unauthorized access and arbitrary AJAX action execution. As a temporary workaround, consider restricting access to the sb ajax execute() function until a patch is available.