Multiple vulnerabilities in Support Board from Schiocco
Posted date 09/03/2026
Identificador
INCIBE-2026-173
Importance
4 - High
Affected Resources
Support Board, v3.7.7 and prior.
Description
INCIBE has coordinated the publication of 2 vulnerabilities: 1 of high severity and 1 of medium severity, affecting Support Board v3.7.7, a WordPress complement that automates customer communication processes via chat, which have been discovered by Gonzalo Aguilar García (6h4ack).
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-41383: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-41384: CVSS v4.0: 5.4 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
The vulnerabilities have been fixed by Schiocco team in version 3.7.8, released on February 2025.
Detail
- CVE-2025-41383: a SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '/supportboard/include/ajax.php' endpoint.
- CVE-2025-41384: a Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
CVE
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2025-41383 | Alta | No | Schiocco |
| CVE-2025-41384 | Media | No | Schiocco |
References list
Etiquetas
