6 matches found
CVE-2021-24823
The CVE-2021-24823 entry concerns the WordPress Support Board plugin prior to version 3.3.6. The issue is that actions handled by include/ajax.php lack CSRF checks, allowing an attacker to trigger actions as an authenticated user, e.g., an admin deleting arbitrary files. Connected sources (Red Ha...
CVE-2021-24807
The vulnerability is CVE-2021-24807 affecting the WordPress Support Board plugin (versions before 3.3.5). It allows Authenticated (Agent+) users to perform Stored Cross-Site Scripting by placing a payload in the notes field; when an administrator or any authenticated user opens the chat, the XSS ...
CVE-2025-4855
CVE-2025-4855 concerns the WordPress plugin Support Board. Multiple sources confirm a vulnerability in all versions up to 3.8.0 where hardcoded default secrets in sb_encryption() enable unauthenticated bypass of authorization and the execution of arbitrary AJAX actions via sb_ajax_execute(). This...
CVE-2025-4828
The CVE-2025-4828 entry concerns the WordPress Support Board plugin, where arbitrary file deletion is possible due to insufficient file path validation in sb_file_delete across all versions up to 3.8.0. This can lead to remote code execution when critical files (e.g., wp-config.php) are deleted. ...
CVE-2026-4816
CVE-2026-4816: A Reflected Cross Site Scripting (XSS) vulnerability exists in Support Board v3.7.7. An attacker can craft a malicious URL that injects JavaScript via the search parameter in /supportboard/include/articles.php, causing code execution in the victim’s browser and potentially exfiltra...
CVE-2026-4815
Support Board 3.7.7 is affected by a SQL injection vulnerability. The issue allows an attacker to retrieve, create, update, and delete data through the parameter calls[0][message_ids][] in the /supportboard/include/ajax.php endpoint. The connected CVE records confirm the affected product/version ...