CVE-2025-10377 is a medium-severity CSRF vulnerability in the System Dashboard plugin for WordPress, developed by qriouslad. The vulnerability exists in all versions up to and including 2.8.20 due to the absence of nonce validation in the sd_toggle_logs() function. Nonce validation is a security mechanism used in WordPress to verify that requests are intentional and originate from legitimate users. Without this protection, attackers can craft malicious requests that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), toggle critical logging settings such as Page Access Logs, Error Logs, and Email Delivery Logs. This manipulation can disable or enable logging features, potentially hindering incident detection and response or exposing sensitive operational data. The attack vector is network-based (remote), does not require privileges, but does require user interaction (UI:R). The vulnerability affects the integrity of the logging configuration but does not directly compromise confidentiality or availability. Although no public exploits are currently known, the vulnerability's presence in a widely used WordPress plugin makes it a notable risk. The lack of patch links suggests that fixes may be pending or not yet publicly released. The vulnerability was reserved and published in September 2025 and is tracked under CWE-352, which covers CSRF weaknesses.

The primary impact of this vulnerability is on the integrity of the affected WordPress site's logging configuration. By toggling logging settings, attackers can disable critical logs that track page access, errors, and email delivery, thereby impairing the site's ability to detect malicious activity or troubleshoot issues. This can facilitate further undetected attacks or data breaches. While confidentiality and availability are not directly compromised, the loss of logging visibility can indirectly increase risk by reducing forensic capabilities and incident response effectiveness. Organizations relying on the System Dashboard plugin for monitoring and auditing are particularly vulnerable. The attack requires an administrator to interact with a malicious link, so social engineering is a key component. The medium CVSS score reflects the moderate risk due to the need for user interaction and limited scope of impact. However, in high-security environments or those with compliance requirements for logging, the impact could be more severe.

1. Apply patches or updates from the plugin vendor as soon as they become available to ensure nonce validation is implemented in the sd_toggle_logs() function. 2. Until patches are released, restrict administrative access to trusted networks and users to reduce the risk of social engineering attacks. 3. Educate site administrators about the risks of clicking unsolicited or suspicious links, especially when logged into WordPress admin panels. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting the sd_toggle_logs() endpoint. 5. Monitor logging settings regularly to detect unexpected changes in logging configurations. 6. Consider disabling or limiting the use of the System Dashboard plugin if it is not essential. 7. Use security plugins that add additional CSRF protections or nonce enforcement for admin actions. 8. Employ multi-factor authentication for administrator accounts to reduce the risk of account compromise that could facilitate exploitation.