schiocco 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、vendor risk sql injection、vendor risk csrf, and パス処理の欠陥 があり、vendor surface software deployment and vendor surface production workloads の利用場面で vendor impact session compromise、vendor impact data exposure, and ファイル上書き などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-4816 | A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | [email protected] | 4.8 | 0.05% | 2026-03-25 | 2026-03-26 |
| CVE-2026-4815 | A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '/supportboard/include/ajax.php' endpoint. | [email protected] | 8.7 | 0.03% | 2026-03-25 | 2026-03-26 |
| CVE-2025-4855 | The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated. | [email protected] | 9.8 | 0.77% | 2025-07-09 | 2025-07-14 |
| CVE-2025-4828 | The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated. | [email protected] | 9.8 | 8.61% | 2025-07-09 | 2025-07-14 |
| CVE-2021-24823 | The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files | [email protected] | 8.1 | 0.20% | 2022-02-28 | 2024-11-21 |
| CVE-2021-24807 | The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed. | [email protected] | 5.4 | 7.04% | 2021-11-08 | 2024-11-21 |
| CVE-2021-24741 | The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. | [email protected] | 9.8 | 58.26% | 2021-09-20 | 2024-11-21 |
| CVE-2018-18373 | In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action. | [email protected] | 5.4 | 0.15% | 2018-10-17 | 2024-11-21 |