CVE-2026-4815 Overview
CVE-2026-4815 is a SQL Injection vulnerability [CWE-89] in Schiocco Support Board version 3.7.7, a WordPress-based customer support and live chat plugin. The flaw resides in the /supportboard/include/ajax.php endpoint, where the calls[0][message_ids][] parameter is concatenated into a SQL query without proper sanitization. Authenticated attackers can inject arbitrary SQL statements to retrieve, create, update, and delete database records. The vulnerability was disclosed through INCIBE-CERT as part of a multi-vulnerability advisory affecting the plugin.
Critical Impact
An authenticated attacker can execute arbitrary SQL queries against the underlying database, leading to full compromise of stored support tickets, user records, and credentials managed by the plugin.
Affected Products
- Schiocco Support Board v3.7.7 (WordPress plugin)
- Earlier versions of Support Board v3 may also be impacted
- WordPress installations using the vulnerable plugin component
Discovery Timeline
- 2026-03-25 - CVE-2026-4815 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-4815
Vulnerability Analysis
The vulnerability is a classic SQL Injection [CWE-89] in the AJAX handler at /supportboard/include/ajax.php. The endpoint processes the calls[0][message_ids][] array parameter and embeds the supplied values directly into a SQL statement. Because the input is neither validated nor parameterized, the database engine treats injected SQL syntax as part of the query.
Exploitation requires low-privilege authentication, as reflected in the CVSS vector requirement PR:L. An attacker holding any authenticated session with the support endpoint can submit crafted POST requests to the AJAX route. Successful exploitation yields full read and write access to the WordPress database, including the wp_users table, session data, and support conversation history.
The network-reachable attack surface and lack of user interaction make the issue suitable for automated exploitation once valid credentials are obtained, including through credential stuffing or registration on sites that permit self-service signup.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command. The message_ids array values flow into the query builder without prepared statements or input casting to integer types. Schiocco's AJAX handler should treat message identifiers as integers and use $wpdb->prepare() with appropriate placeholders.
Attack Vector
The attacker sends a POST request to /supportboard/include/ajax.php containing a malicious payload in the calls[0][message_ids][] parameter. Typical payloads include UNION-based extraction strings, time-based blind injection probes, and stacked queries to modify data. The vulnerability is described in the INCIBE Security Notice. No public proof-of-concept exploit is currently listed.
Detection Methods for CVE-2026-4815
Indicators of Compromise
- POST requests to /supportboard/include/ajax.php containing SQL syntax tokens such as UNION, SELECT, SLEEP(, --, or 0x within the calls[0][message_ids][] parameter
- Unexpected database errors logged by WordPress or MySQL referencing the wp_sb_ plugin tables
- New or modified administrator accounts in wp_users not corresponding to legitimate provisioning
- Outbound HTTP requests from the web server immediately following crafted AJAX calls, indicating data exfiltration
Detection Strategies
- Inspect web server access logs for requests to ajax.php with abnormally long or URL-encoded message_ids values
- Deploy WAF rules that match SQL keywords inside array-style POST parameters targeting the Support Board endpoint
- Enable MySQL general or slow query logging and alert on queries referencing information_schema from the WordPress database user
Monitoring Recommendations
- Forward WordPress, web server, and database logs to a centralized analytics platform for correlation across the request and query layers
- Baseline normal volume of ajax.php requests per authenticated user and alert on deviations
- Track creation of new privileged WordPress accounts and changes to wp_options rows that control site URLs or active plugins
How to Mitigate CVE-2026-4815
Immediate Actions Required
- Upgrade Schiocco Support Board to a fixed release once published by the vendor; consult the INCIBE advisory for version guidance
- Restrict access to /supportboard/include/ajax.php to authenticated, trusted users only and disable public registration where feasible
- Rotate WordPress administrator credentials and database passwords if exploitation is suspected
Patch Information
No vendor patch URL is listed in the NVD record at the time of publication. Administrators should monitor the Schiocco Support Board changelog and the INCIBE-CERT notice for the corrected version. Until a patch is available, treat all Support Board v3.7.7 installations as vulnerable.
Workarounds
- Place the Support Board endpoint behind a Web Application Firewall with SQL Injection signatures enabled for array parameter payloads
- Apply database-level least privilege so the WordPress database user cannot read information_schema or perform DROP and GRANT operations
- Temporarily disable the Support Board plugin on sites where customer support functionality is not actively in use
# Example ModSecurity rule blocking SQL tokens in the vulnerable parameter
SecRule ARGS_NAMES "@rx ^calls\[0\]\[message_ids\]" \
"chain,id:1026481501,phase:2,deny,status:403,log,msg:'CVE-2026-4815 Support Board SQLi attempt'"
SecRule ARGS "@rx (?i)(union\s+select|sleep\(|information_schema|--\s|0x[0-9a-f]+)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
