Description
The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Log configuration tampering via CSRF
Action: Apply patch
AI Analysis

Impact

The System Dashboard WordPress plugin exposes a function to toggle logging settings without validating a nonce. This lack of protection allows an attacker to send a forged request that, when an administrator follows a malicious link, changes the state of critical logs including Page Access Logs, Error Logs, and Email Delivery Logs. By disabling or altering these logs, an attacker can erase evidence of other malicious activity, undermining forensic investigations and monitoring capabilities. The weakness is a classic Cross‑Site Request Forgery, identified as CWE‑352, and it permits unauthorized configuration changes but does not provide code execution or direct data exfiltration.

Affected Systems

The vulnerability affects the System Dashboard plugin developed by qriouslad. All releases up to and including version 2.8.20 are impacted. Specifically, any WordPress installation running System Dashboard 2.8.20 or earlier is at risk when an administrator has the option to access the admin logging toggle interface.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate risk level, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited active exploitation. An attacker would need to entice a site administrator to click a crafted link or form, relying on social engineering to trigger a CSRF request. Because the attack requires the victim to be authenticated, the threat surface is confined to trusted admin accounts; however, the damage potential lies in disabling crucial logging that supports incident response.

Generated by OpenCVE AI on April 21, 2026 at 02:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the System Dashboard plugin to version 2.8.21 or newer where nonce validation has been added to the logging toggle function.
  • If immediate upgrade is not possible, remove or restrict the capability that allows toggling logs from the administrator role until the patch is applied.
  • Configure a web application firewall or security plugin to block or flag unexpected POST requests to the log toggle endpoint that lack a valid nonce, mitigating accidental CSRF execution.
  • As a temporary measure, disable critical logging features in the WordPress settings or via a custom plugin to prevent loss of audit data until the vulnerability is fully remediated.

Generated by OpenCVE AI on April 21, 2026 at 02:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31207 The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Bowo
Bowo system Dashboard
Wordpress
Wordpress wordpress
Vendors & Products Bowo
Bowo system Dashboard
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title System Dashboard <= 2.8.20 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Bowo System Dashboard
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:58.728Z

Reserved: 2025-09-12T16:21:12.683Z

Link: CVE-2025-10377

cve-icon Vulnrichment

Updated: 2025-09-26T19:33:57.784Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T04:15:54.603

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses