CVE-2025-4828

Support Board · Support Board plugin for WordPress

The Support Board plugin for WordPress suffers from arbitrary file deletion due to insufficient path validation in the sb_file_delete function.

Executive summary

An arbitrary file deletion vulnerability in the Support Board plugin for WordPress allows unauthenticated attackers to delete critical system files, potentially leading to a complete denial of service.

Vulnerability

The sb_file_delete function lacks sufficient file path validation, allowing an attacker to supply manipulated paths. This enables the deletion of arbitrary files on the server that the web server process has permissions to remove.

Business impact

With a CVSS score of 9.8, this flaw is critical. Successful exploitation could result in a total denial of service by deleting core WordPress files or sensitive configuration files, causing significant operational downtime and potential data loss.

Remediation

Immediate Action: Update the Support Board plugin to the latest version that includes robust path validation logic to prevent directory traversal and unauthorized file deletion.

Proactive Monitoring: Monitor server file system integrity and review web server access logs for requests containing suspicious directory traversal sequences (e.g., ../) directed at the plugin's file handling functions.

Compensating Controls: Ensure the web server process runs with the least privilege necessary, specifically restricting its ability to modify or delete files outside of designated upload directories.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability presents a severe risk to system availability. Administrators should prioritize updating the Support Board plugin immediately and verify that the underlying server environment is hardened against arbitrary file manipulation by the web application service account.