CVE-2025-54027

Vulnerability

Overview

The Support Board plugin for WordPress versions 3.8.0 and earlier contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a page, which is then executed in the context of the victim's browser session.

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or submitting a malicious form [1]. The attack can be initiated by any user, but successful execution depends on a privileged user (e.g., an administrator) performing the action. No specific authentication level is required beyond the victim being logged into the WordPress admin area. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of sites regardless of size or popularity [1].

Impact

A successful attack allows the attacker to inject malicious scripts that can perform actions such as redirecting visitors to attacker-controlled sites, displaying unwanted advertisements, or stealing session cookies [1]. This could lead to further compromise of the WordPress installation or its users.

Mitigation

The vendor has released version 3.8.1 which resolves the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update can be applied [1].