AI Threat Alert AI Threat Alert

CVE-2025-5018: Hive Support WP: OpenAI key theft + prompt hijack

HIGH
Published June 6, 2025
CISO Take

Any subscriber-level user on your WordPress site running Hive Support ≤1.2.4 can steal your OpenAI API key or rewrite your AI chatbot's system prompts. Rotate your OpenAI API key immediately and update the plugin. If patching is delayed, disable the plugin entirely—your AI chat is a live attack surface.

Risk Assessment

High risk for WordPress deployments with registered users (forums, membership sites, SaaS). The barrier to exploitation is extremely low: a $0 account registration is sufficient. OpenAI API key exposure creates dual impact—financial (unauthorized API spend) and operational (adversary controls AI behavior). CVSS 7.1 is conservative; the AI-specific impact (prompt manipulation at scale) elevates real-world severity for AI-reliant businesses.

Severity & Risk

CVSS 3.1
7.1 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I Low
A None

Recommended Action

6 steps

  1. PATCH

    Update Hive Support plugin to version >1.2.4 immediately via WordPress admin.

  2. ROTATE

    Invalidate and regenerate all OpenAI API keys used by this plugin—assume compromise.

  3. RESTRICT

    Set spending limits on OpenAI API keys via the OpenAI dashboard to cap financial damage from stolen keys.

  4. DISABLE

    If patch unavailable, deactivate the plugin until patched.

  5. AUDIT

    Review OpenAI API usage logs for anomalous calls or spikes indicating key abuse.

  6. MONITOR

    Check AI chat logs for prompt modifications or unexpected behavior changes.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Prompt Injection API Plugin AML.T0012 AML.T0034 AML.T0049 AML.T0051 AML.T0055 AML.T0081

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
A.6.1 - AI system access control A.9.2 - AI system integrity
NIST AI RMF
GOVERN-1.1 - AI risk policies and accountability MANAGE-2.2 - AI risk treatment and response
OWASP LLM Top 10
LLM02 - Insecure Plugin Design LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-5018?

Any subscriber-level user on your WordPress site running Hive Support ≤1.2.4 can steal your OpenAI API key or rewrite your AI chatbot's system prompts. Rotate your OpenAI API key immediately and update the plugin. If patching is delayed, disable the plugin entirely—your AI chat is a live attack surface.

Is CVE-2025-5018 actively exploited?

No confirmed active exploitation of CVE-2025-5018 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-5018?

1. PATCH: Update Hive Support plugin to version >1.2.4 immediately via WordPress admin. 2. ROTATE: Invalidate and regenerate all OpenAI API keys used by this plugin—assume compromise. 3. RESTRICT: Set spending limits on OpenAI API keys via the OpenAI dashboard to cap financial damage from stolen keys. 4. DISABLE: If patch unavailable, deactivate the plugin until patched. 5. AUDIT: Review OpenAI API usage logs for anomalous calls or spikes indicating key abuse. 6. MONITOR: Check AI chat logs for prompt modifications or unexpected behavior changes.

What systems are affected by CVE-2025-5018?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI chatbot integrations, LLM API key storage in plugins, Customer-facing AI chat systems, OpenAI-backed support automation.

What is the CVSS score for CVE-2025-5018?

CVE-2025-5018 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.

Exploitation Scenario

An attacker registers a free subscriber account on a WordPress site. They send an authenticated AJAX POST to wp-admin/admin-ajax.php calling hs_update_ai_chat_settings() with a crafted payload—no capability check blocks them. First, they call hive_lite_support_get_all_binbox() to read and exfiltrate the stored OpenAI API key, then sell it or use it for their own LLM workloads at the victim's expense. Simultaneously, they inject a malicious system prompt instructing the chatbot to collect visitor PII, redirect users to phishing pages, or deny support to legitimate users—all while appearing as the legitimate company AI assistant.

Weaknesses (CWE)

CWE-862

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References

Timeline

Published
June 6, 2025
Last Modified
June 6, 2025
First Seen
June 6, 2025

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed