CVE-2026-27395: WordPress Support Board plugin < 3.8.9 - Privilege Escalation vulnerability
Unauthenticated Privilege Escalation in Support Board < 3.8.9 versions.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 3.8.9
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated privilege escalation vulnerability affects the Support Board WordPress plugin in versions before 3.8.9. The flaw is reachable over the network and requires no credentials, allowing any remote user to elevate their privileges within the application. Successful exploitation gives an attacker full read, write, and availability impact on the affected WordPress site. A patched-image rebuild at version 3.8.9 is available on HarborGuard for environments running an affected version of the plugin.
HarborGuard Coverage
Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images and pipelines, including custom-built WordPress images that bundle the Support Board plugin.
AvailableHarborGuard scores this finding at CVSS 9.8 Critical, and per-environment compliance policy weighting is applied to prioritize routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Support Board version 3.8.9 becomes available on HarborGuard for any scanned image found to carry an affected version of the plugin. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress site via HTTP or HTTPS.
- AuthenticationNot required
No account or credentials of any kind are needed; the privilege escalation is fully unauthenticated.
- Victim interactionNot required
The attacker can exploit this vulnerability directly without any action from an administrator or other user.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.
Blast Radius
- An attacker gains elevated privileges within the WordPress application, enabling access to all stored site data including user records, private content, and plugin configuration.
- With write access, an attacker can modify posts, pages, settings, or install additional plugins and themes to establish persistence.
- Full availability impact means the attacker can disrupt or take down the WordPress site entirely.
- Privilege escalation at this level typically enables follow-on compromise of the underlying server if further weaknesses exist in the hosting environment.
How HarborGuard Handles This
Available on HarborGuard: any image found to include Support Board below version 3.8.9 is flagged immediately upon ingest, scored at CVSS 9.8 Critical, and routed according to each environment's compliance policy. Where auto-remediation is enabled, HarborGuard initiates a rebuild against the 3.8.9 fix version, executes a regression test run, and opens a pull request against affected workloads. For high and critical severity findings, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who have not enabled auto-remediation receive a prioritized alert with remediation guidance and can trigger the rebuild manually from the HarborGuard dashboard.
Fix available
- Schiocco / Support Board< 3.8.9 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H