Cyber Resilience

CVE-2025-4828

Critical

Published: 09 July 2025

Published
09 July 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0861 92.6th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4828 is a critical-severity Path Traversal (CWE-22) vulnerability in Schiocco Support Board. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Support Board plugin for WordPress is vulnerable to arbitrary file deletion in the sb_file_delete function due to insufficient file path validation. This affects all versions through 3.8.0 and is tracked as CWE-22. Successful exploitation can delete any file on the server, including wp-config.php, which commonly leads to remote code execution.

An unauthenticated attacker can chain this flaw with CVE-2025-4855 to trigger the deletion without authentication. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack with high impact on confidentiality, integrity, and availability.

The EPSS score remains flat at 0.0861 with no material increase after disclosure. Public references point to the plugin vendor page on CodeCanyon and a detailed Wordfence threat intelligence entry for further analysis.

EU & UK References

Vulnerability details

The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files…

more

on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Direct exploitation of public-facing WordPress plugin via path traversal (T1190); enables arbitrary file deletion (T1070.004) leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-4855Same product: Schiocco Support Board
CVE-2026-4815Same product: Schiocco Support Board
CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-26752Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-65792Shared CWE-22

Affected Assets

schiocco
support board
≤ 3.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely flaw remediation through patching the Support Board plugin to eliminate the path traversal in sb_file_delete.

prevent

Prevents exploitation of the insufficient file path validation by enforcing comprehensive input validation to block arbitrary path traversal leading to file deletion.

detect

Detects unauthorized file deletions, such as wp-config.php, through software and information integrity monitoring to identify compromise early.

References