CVE-2025-5018

Vulnerability

The Hive Support plugin for WordPress (versions up to and including 1.2.5) fails to perform capability checks on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions. This allows authenticated users with Subscriber-level access or higher to access and modify sensitive data. The affected functions handle OpenAI API key storage, inspection data, and AI-chat prompts.

Exploitation

An attacker needs only a valid WordPress user account with Subscriber privileges (or higher). No additional permissions are required. The attacker can send crafted requests to the vulnerable endpoints to read the stored OpenAI API key and inspection data, or overwrite them with arbitrary values. They can also modify AI-chat prompts and behavior.

Impact

Successful exploitation leads to unauthorized disclosure of the OpenAI API key and inspection data, potentially allowing the attacker to use the API key for their own purposes (incurring costs) or to manipulate the AI-chat functionality. The attacker can also alter the AI-chat prompts, affecting the behavior of the chatbot for all users. This compromises the confidentiality and integrity of the plugin's AI features.

Mitigation

The vulnerability is fixed in version 1.2.6 (or later) of the Hive Support plugin [1]. Users should update to the latest version (1.2.12 as of the reference) immediately. No workarounds are provided. The plugin is actively maintained, and the fix is available via the WordPress plugin repository.