CVE-2025-4828
Published: 09 July 2025
Summary
CVE-2025-4828 is a critical-severity Path Traversal (CWE-22) vulnerability in Schiocco Support Board. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Support Board plugin for WordPress is vulnerable to arbitrary file deletion in the sb_file_delete function due to insufficient file path validation. This affects all versions through 3.8.0 and is tracked as CWE-22. Successful exploitation can delete any file on the server, including wp-config.php, which commonly leads to remote code execution.
An unauthenticated attacker can chain this flaw with CVE-2025-4855 to trigger the deletion without authentication. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack with high impact on confidentiality, integrity, and availability.
The EPSS score remains flat at 0.0861 with no material increase after disclosure. Public references point to the plugin vendor page on CodeCanyon and a detailed Wordfence threat intelligence entry for further analysis.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20755
Vulnerability details
The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files…
more
on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of public-facing WordPress plugin via path traversal (T1190); enables arbitrary file deletion (T1070.004) leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the vulnerability by requiring timely flaw remediation through patching the Support Board plugin to eliminate the path traversal in sb_file_delete.
Prevents exploitation of the insufficient file path validation by enforcing comprehensive input validation to block arbitrary path traversal leading to file deletion.
Detects unauthorized file deletions, such as wp-config.php, through software and information integrity monitoring to identify compromise early.