Unauthorized Access Vulnerability in Hive Support Plugin by WordPress
CVE-2025-5018

7.1HIGH

Key Information:

Vendor: WordPress
Status: Hive Support | Ai-powered Help Desk, Live Chat & Ai Chat Bot Plugin For WordPress
Vendor: CVE Published:; 6 June 2025

What is CVE-2025-5018?

The Hive Support plugin for WordPress is affected by an authorization bypass that enables authenticated attackers, including those with Subscriber-level access, to access and modify sensitive data. Specifically, the missing capability check on the functions hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() allows unauthorized users to read and alter the site's OpenAI API key and other crucial configuration settings. This flaw underscores the necessity for robust permission checks to safeguard against unauthorized data access and ensures the integrity of user-configured components.

Affected Version(s)

Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress * <= 1.2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/hive-support/#developers

https://plugins.trac.wordpress.org/browser/hive-support/t...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2025
Vulnerability Reserved
May 20, 2025

Credit

Vo Thi Ngoc Nhi