Description
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output.
Published: 2026-01-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection via CSRF
Action: Immediate Patch
AI Analysis

Impact

The DASHBOARD BUILDER WordPress plugin contains a Cross‑Site Request Forgery vulnerability in versions up to 1.5.7. Because the settings handler does not validate a nonce, an attacker can send a forged request that an administrator will accept. This can change the plugin's stored SQL query and database credentials that the [show‑dashboardbuilder] shortcode uses. When the shortcode is rendered on the front‑end, the altered query is executed, allowing the attacker to perform arbitrary SQL injection and extract data from the database. The weakness belongs to CWE‑352.

Affected Systems

All WordPress sites with the Dashboard Builder plugin v1.5.7 or earlier are affected. The vendor is a WordPress plugin called Dashboard Builder – WordPress plugin for Charts and Graphs. No other software, OS or core WordPress versions are specified, so the impact applies to every installation that has not moved beyond 1.5.7.

Risk and Exploitability

The CVSS score of 7.1 signals high severity, while the EPSS score of less than 1 % indicates a low but nonzero likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. An attacker only needs to entice an administrator to visit a crafted link or click a button, and no authentication is required. Successful exploitation grants the ability to inject arbitrary SQL, which can lead to unauthorized data exfiltration or further compromise of database permissions.

Generated by OpenCVE AI on April 22, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dashboard Builder to the latest available version, which implements proper nonce validation and removes the ability to modify stored queries through the settings page.
  • If an upgrade cannot be performed immediately, deactivate or remove the [show‑dashboardbuilder] shortcode from all pages and posts until the plugin is patched, preventing the execution of potentially unsafe queries.
  • Restrict the database privileges granted to the plugin's database user to the minimum required (e.g., SELECT only), limiting damage if an injection occurs.

Generated by OpenCVE AI on April 22, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output.
Title DASHBOARD BUILDER <= 1.5.7 - Cross-Site Request Forgery to SQL Injection
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:58.593Z

Reserved: 2025-12-12T20:47:27.527Z

Link: CVE-2025-14615

cve-icon Vulnrichment

Updated: 2026-01-14T15:45:20.634Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:53.050

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses