CVE-2025-22298 · Missing Authorization vulnerability in Hive Support Hive Support hive-support

01 · The Real Story

This is a staff door where the badge reader exists, but nobody connected it to the lock

CVE-2025-22298 is a missing authorization flaw in the WordPress hive-support plugin affecting versions through 1.1.6, fixed in 1.1.7. Public writeups agree on the important part: a logged-in attacker with Subscriber-level access or higher can reach at least one plugin function without the capability check that should gate it, letting that user perform an action they were not meant to perform.

The vendor/CNA MEDIUM 4.3 score is fair in a vacuum, but for enterprise patch triage it is too generous. The decisive friction is that this is post-auth on a tiny deployment footprint plugin, with no KEV listing, no public in-the-wild evidence located, and very low EPSS. That makes it a real defect, but not a fire drill.

"Real bug, small problem: it needs a logged-in low-privilege user on a plugin with only 40+ reported installs."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get a low-privilege WordPress login

The attacker first needs a valid WordPress account at Subscriber or higher on a site running vulnerable hive-support. In practice that means self-registration on the site, credential stuffing against a reused password, or using an already-compromised customer/community account. Tooling here is boring: browser, curl, password-spraying kits, or standard WordPress login automation.

Conditions required:

Target runs Hive Support <= 1.1.6
Attacker has a valid WordPress account with Subscriber+ privileges
The account can authenticate to the site

Where this breaks in practice:

This is not unauthenticated remote; it already assumes the attacker crossed an auth boundary
Many enterprise WordPress deployments do not allow open self-registration
SSO, MFA, CAPTCHA, bot protection, and account approval workflows reduce reachable population

Detection/coverage: Commodity vuln scanners usually miss this unless they support authenticated WordPress checks; identity telemetry and WordPress auth logs are more useful than perimeter scanning.

STEP 02

Call the under-protected plugin function

Once logged in, the attacker invokes the vulnerable plugin action through the normal WordPress application flow, likely via an admin, AJAX, or REST-backed function that lacks a required capability check. Public sources do not provide a weaponized PoC or name the exact function for this CVE, so exploitation currently looks like manual abuse rather than turnkey mass scanning.

Conditions required:

Attacker can maintain an authenticated session
The vulnerable code path is reachable in that site's plugin configuration

Where this breaks in practice:

No public exploit repo or copy-paste PoC located in the reviewed sources
The missing capability check appears to enable an unauthorized action, not direct code execution
Endpoint reachability can vary by plugin configuration and site workflow

Detection/coverage: DAST coverage is weak without authenticated crawling and endpoint knowledge; SAST/code-diff review or vendor intel is more reliable.

STEP 03

Perform the unauthorized action

The outcome described by the public records is integrity impact only, which matches the vendor vector I:L with no confidentiality or availability impact. In plain English: a low-privilege user can do something they should not, but the available evidence does not show database takeover, arbitrary file write, or RCE from this specific CVE.

Conditions required:

The vulnerable function accepts the attacker's request
The action materially changes plugin state or workflow

Where this breaks in practice:

Public impact is limited to low integrity
No evidence that exploitation crosses from plugin abuse into host compromise
Blast radius is contained to the affected WordPress site and plugin workflow

Detection/coverage: Look for unexpected plugin setting changes, abnormal support workflow changes, or suspicious authenticated requests from low-privilege accounts.

STEP 04

Try to chain it into broader abuse

A skilled attacker could attempt to chain the unauthorized action with weak site governance, insecure plugins, or over-trusted support workflows. But that chain requires additional weaknesses outside this CVE, which is why the standalone issue scores low in real operations even though broken access control is never good news.

Conditions required:

The site has follow-on weaknesses worth chaining
The unauthorized action creates a meaningful stepping stone

Where this breaks in practice:

No public reports tie this CVE to broader post-exploitation chains
The plugin has a very small install base
Modern WordPress estates often segregate low-value brochure sites from crown-jewel apps

Detection/coverage: Correlate WordPress account activity, plugin changes, and downstream application anomalies; there is no known signature-based exploit pattern specific to this CVE.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence located in the reviewed sources, and not listed in CISA KEV. That matters because this bug is already narrowed by requiring authenticated Subscriber+ access.
Public PoC availability	No standalone public PoC repo or weaponized exploit reference found in Patchstack, Wordfence, WPScan, NVD, or the reviewed search results. Current public detail is descriptive, not operational.
EPSS	0.00114 from the supplied intel, which is roughly 0.114% probability over 30 days. Third-party mirrors show an EPSS percentile around the low teens, which is directionally consistent with a low-threat authenticated plugin bug.
KEV status	Not in CISA Known Exploited Vulnerabilities. No KEV date applies.
CVSS vector meaning	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N` translates to easy to trigger once logged in, but only after low privileges already exist, with low integrity impact only and no stated confidentiality or availability loss.
Affected versions	Hive Support – WordPress Help Desk / `hive-support` through 1.1.6 are affected according to the CNA record and downstream databases.
Fixed version	1.1.7 is the first fixed release for this CVE. The current WordPress.org listing is far newer, now at 2.0.3, and the changelog history shows the 1.1.7 security fix landed there.
Exposure footprint	The official WordPress.org plugin page reports only 40+ active installations, which is tiny. There is no useful Shodan/Censys-style fingerprint for mass internet counting here because this is an authenticated app-layer plugin issue, not a distinct exposed network service.
Disclosure timeline	Patchstack/Wordfence public date: 2025-01-06; NVD published: 2025-01-07. The user-supplied disclosure date of 2025-01-07 matches NVD publication rather than the earlier public vendor/CNA posting.
Researcher / source	Dhabaleshwar Das is credited by Patchstack/Wordfence/WPScan. The CVE was assigned and published through Patchstack as CNA.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.8/10)

The single biggest reason this lands in LOW is the authenticated Subscriber+ requirement, which makes it a post-auth abuse path rather than a perimeter-breaker. That narrowing gets even stronger because the plugin's reported deployment footprint is only 40+ active installs, so the reachable population is tiny before you even ask whether the unauthorized action is business-critical.

HIGH Attack precondition requires authenticated Subscriber+ access

HIGH Exposure footprint is small based on WordPress.org active install count

MEDIUM Exact unauthorized action details are sparse in public reporting

Why this verdict

Downgrade from vendor MEDIUM: this is authenticated remote with Subscriber+ privileges, which implies the attacker already has an account or prior compromise stage.
Further downgrade for exposure: the official plugin page reports only 40+ active installations, so the addressable enterprise population is extremely small.
Further downgrade for threat evidence: no KEV, no public exploitation evidence located, no public weaponized PoC located, and very low EPSS all argue against urgent adversary attention.

Why not higher?

There is no evidence this CVE is being exploited at scale, and the public impact is limited to low integrity rather than code execution or admin takeover. Just as important, requiring authenticated Subscriber+ access compounds real-world friction: this is a post-auth, narrow-population bug, not a broad internet-exposed initial-access flaw.

Why not lower?

It is still a genuine broken access control issue, not a theoretical hardening nit. On sites that allow user registration or already have lots of low-privilege accounts, a normal user being able to trigger a privileged plugin action is still unacceptable and deserves cleanup rather than outright dismissal.

05 · Compensating Control

What to do — in priority order.

Disable untrusted self-registration — If the site does not need open account creation, turn it off and prune stale Subscriber accounts. For a LOW finding there is no noisgate mitigation SLA, so handle this as backlog hygiene in the next normal WordPress administration cycle; the point is to remove the easiest path to satisfying the bug's biggest prerequisite.
Gate WordPress login behind stronger identity controls — Put wp-login.php and privileged site access behind SSO, MFA, bot protection, or IP restrictions where feasible. There is no noisgate mitigation SLA for LOW, but this is worth folding into your routine hardening baseline because it suppresses whole classes of authenticated plugin abuse, not just this CVE.
Turn on controlled plugin auto-updates — For low-install, non-core plugins, enable tested auto-update or at least owner-assigned update review so these long-tail WordPress bugs do not linger. With a LOW verdict there is no fixed mitigation deadline, so do it in the next maintenance window rather than as an emergency change.
Monitor low-privilege plugin activity — Add detections for unusual authenticated requests by Subscriber accounts, unexpected plugin setting changes, and sudden account creation spikes. Again, there is no noisgate mitigation SLA for LOW, but this provides useful telemetry for future WordPress plugin issues that also hide behind authentication.

What doesn't work

A network perimeter scan will not tell you much here, because the vulnerable behavior lives behind normal WordPress authentication and plugin routing.
A generic WAF rule set is weak compensation when the exact function/endpoint is not publicly documented; without a precise path, you are mostly hoping to catch side effects.
Host EDR alone does not solve this, because the abuse may look like legitimate application-layer requests from a valid logged-in user rather than malware on the server.

06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host or on a mounted backup/container image with filesystem access. Invoke it as bash check-hive-support-cve-2025-22298.sh /var/www/html (or point it directly at the plugin directory); it only needs read access to the WordPress files under wp-content/plugins/hive-support.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-hive-support-cve-2025-22298.sh
# Determine whether a WordPress installation is vulnerable to CVE-2025-22298
# Affected: Hive Support plugin <= 1.1.6
# Fixed:    1.1.7+
# Output:   VULNERABLE / PATCHED / UNKNOWN
# Exit:     1 vulnerable, 0 patched, 2 unknown

set -u

TARGET="${1:-}"
if [ -z "$TARGET" ]; then
  echo "UNKNOWN - usage: $0 <wordpress-root-or-hive-support-plugin-dir>"
  exit 2
fi

PLUGIN_DIR=""
if [ -d "$TARGET/wp-content/plugins/hive-support" ]; then
  PLUGIN_DIR="$TARGET/wp-content/plugins/hive-support"
elif [ -d "$TARGET" ] && [ "$(basename "$TARGET")" = "hive-support" ]; then
  PLUGIN_DIR="$TARGET"
else
  echo "UNKNOWN - hive-support plugin directory not found under: $TARGET"
  exit 2
fi

version=""

# Try readme first
if [ -f "$PLUGIN_DIR/readme.txt" ]; then
  version=$(awk -F': ' 'BEGIN{IGNORECASE=1} /^Stable tag:/ {gsub(/\r/,"",$2); print $2; exit}' "$PLUGIN_DIR/readme.txt")
fi

# Fallback: inspect plugin headers in PHP files
if [ -z "$version" ]; then
  while IFS= read -r -d '' phpfile; do
    candidate=$(awk -F': ' 'BEGIN{IGNORECASE=1} /^Version:/ {gsub(/\r/,"",$2); print $2; exit}' "$phpfile")
    if [ -n "$candidate" ]; then
      version="$candidate"
      break
    fi
  done < <(find "$PLUGIN_DIR" -maxdepth 2 -type f -name '*.php' -print0)
fi

# Normalize obvious non-version strings
if [ -z "$version" ] || [ "$version" = "trunk" ] || [ "$version" = "Development Version" ]; then
  echo "UNKNOWN - could not determine installed Hive Support version"
  exit 2
fi

verlte() {
  [ "$1" = "$2" ] && return 0
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

if verlte "$version" "1.1.6"; then
  echo "VULNERABLE - Hive Support version $version (affected <= 1.1.6)"
  exit 1
else
  echo "PATCHED - Hive Support version $version (fixed in 1.1.7+)"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, have your web platform owner inventory WordPress sites for the hive-support plugin and verify whether any instance is still on <= 1.1.6. If you find it, this is not an emergency outage patch: under the noisgate mitigation SLA there is no SLA for LOW, and under the noisgate remediation SLA there is likewise no fixed deadline for LOW—treat it as backlog hygiene and roll the update to 1.1.7+ (or current) into your next normal plugin maintenance window, while documenting the rationale and checking whether those sites allow open user registration.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.