AI Threat Alert

CVE-2025-5018: Hive Support WP: OpenAI key theft + prompt hijack

HIGH
Published June 6, 2025
CISO Take

Any subscriber-level user on your WordPress site running Hive Support ≤1.2.4 can steal your OpenAI API key or rewrite your AI chatbot's system prompts. Rotate your OpenAI API key immediately and update the plugin. If patching is delayed, disable the plugin entirely—your AI chat is a live attack surface.

What is the risk?

High risk for WordPress deployments with registered users (forums, membership sites, SaaS). The barrier to exploitation is extremely low: a $0 account registration is sufficient. OpenAI API key exposure creates dual impact—financial (unauthorized API spend) and operational (adversary controls AI behavior). CVSS 7.1 is conservative; the AI-specific impact (prompt manipulation at scale) elevates real-world severity for AI-reliant businesses.

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I Low
A None

What should I do?

6 steps

  1. PATCH

    Update Hive Support plugin to version >1.2.4 immediately via WordPress admin.

  2. ROTATE

    Invalidate and regenerate all OpenAI API keys used by this plugin—assume compromise.

  3. RESTRICT

    Set spending limits on OpenAI API keys via the OpenAI dashboard to cap financial damage from stolen keys.

  4. DISABLE

    If patch unavailable, deactivate the plugin until patched.

  5. AUDIT

    Review OpenAI API usage logs for anomalous calls or spikes indicating key abuse.

  6. MONITOR

    Check AI chat logs for prompt modifications or unexpected behavior changes.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Prompt Injection API Plugin AML.T0012 AML.T0034 AML.T0049 AML.T0051 AML.T0055 AML.T0081

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
A.6.1 - AI system access control A.9.2 - AI system integrity
NIST AI RMF
GOVERN-1.1 - AI risk policies and accountability MANAGE-2.2 - AI risk treatment and response
OWASP LLM Top 10
LLM02 - Insecure Plugin Design LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-5018?

Any subscriber-level user on your WordPress site running Hive Support ≤1.2.4 can steal your OpenAI API key or rewrite your AI chatbot's system prompts. Rotate your OpenAI API key immediately and update the plugin. If patching is delayed, disable the plugin entirely—your AI chat is a live attack surface.

Is CVE-2025-5018 actively exploited?

No confirmed active exploitation of CVE-2025-5018 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-5018?

1. PATCH: Update Hive Support plugin to version >1.2.4 immediately via WordPress admin. 2. ROTATE: Invalidate and regenerate all OpenAI API keys used by this plugin—assume compromise. 3. RESTRICT: Set spending limits on OpenAI API keys via the OpenAI dashboard to cap financial damage from stolen keys. 4. DISABLE: If patch unavailable, deactivate the plugin until patched. 5. AUDIT: Review OpenAI API usage logs for anomalous calls or spikes indicating key abuse. 6. MONITOR: Check AI chat logs for prompt modifications or unexpected behavior changes.

What systems are affected by CVE-2025-5018?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI chatbot integrations, LLM API key storage in plugins, Customer-facing AI chat systems, OpenAI-backed support automation.

What is the CVSS score for CVE-2025-5018?

CVE-2025-5018 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

WordPress AI chatbot integrationsLLM API key storage in pluginsCustomer-facing AI chat systemsOpenAI-backed support automation

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application
AML.T0051 LLM Prompt Injection
AML.T0055 Unsecured Credentials
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.9
ISO 42001: A.6.1, A.9.2
NIST AI RMF: GOVERN-1.1, MANAGE-2.2
OWASP LLM Top 10: LLM02, LLM06

What are the technical details?

Original Advisory

The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.

Exploitation Scenario

An attacker registers a free subscriber account on a WordPress site. They send an authenticated AJAX POST to wp-admin/admin-ajax.php calling hs_update_ai_chat_settings() with a crafted payload—no capability check blocks them. First, they call hive_lite_support_get_all_binbox() to read and exfiltrate the stored OpenAI API key, then sell it or use it for their own LLM workloads at the victim's expense. Simultaneously, they inject a malicious system prompt instructing the chatbot to collect visitor PII, redirect users to phishing pages, or deny support to legitimate users—all while appearing as the legitimate company AI assistant.

Weaknesses (CWE)

CWE-862 Missing Authorization

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References

Timeline

Published
June 6, 2025
Last Modified
April 15, 2026
First Seen
June 6, 2025

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed