Description
The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers to toggle plugin modules on or off via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ultimate Dashboard for WordPress contains a Cross‑Site Request Forgery flaw (CWE‑352) in the nonce validation within the 'handle_module_actions' function. The broken check allows an attacker to craft a forged request that toggles the activation state of any installed module without requiring valid credentials. An attacker can exploit this by generating a link or email that an administrator clicks, which then sends the malicious request and enables or disables modules. The result is an unauthorized change to site configuration, potentially turning off security or access‑control modules and creating an opportunity for further compromise.

Affected Systems

WordPress sites that have the Ultimate Dashboard – Custom WordPress Dashboard plugin installed in version 3.8.14 or earlier. No specific WordPress core version is tied to the issue; any site running a vulnerable plugin instance is affected.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate severity. Its EPSS score is less than 1%, suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Although no direct authentication is required for the request, an attacker must rely on social engineering or a malicious link to get a site administrator to click, making the attack vector low‑barrier. The impact of disabling critical modules is significant enough to warrant timely remediation.

Generated by OpenCVE AI on May 2, 2026 at 10:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ultimate Dashboard to version 3.8.15 or newer where the nonce validation bug is fixed.
  • If an upgrade is not immediately possible, disable or remove the plugin modules that are not essential so they cannot be altered remotely.
  • Implement additional CSRF safeguards, such as validating the referer or origin header for administrative actions performed by the plugin, or apply a web‑application firewall rule to flag unexpected module‑toggle requests.

Generated by OpenCVE AI on May 2, 2026 at 10:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Davidvongries
Davidvongries ultimate Dashboard – Custom Wordpress Dashboard
Wordpress
Wordpress wordpress
Vendors & Products Davidvongries
Davidvongries ultimate Dashboard – Custom Wordpress Dashboard
Wordpress
Wordpress wordpress

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers to toggle plugin modules on or off via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Ultimate Dashboard <= 3.8.14 - Cross-Site Request Forgery to Module Activation/Deactivation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Davidvongries Ultimate Dashboard – Custom Wordpress Dashboard
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-01T19:29:49.556Z

Reserved: 2026-02-24T17:43:20.891Z

Link: CVE-2026-3140

cve-icon Vulnrichment

Updated: 2026-05-01T13:59:16.295Z

cve-icon NVD

Status : Deferred

Published: 2026-05-01T12:16:15.940

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-3140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:07:35Z

Weaknesses