CVE-2025-14615: CWE-352 Cross-Site Request Forgery (CSRF) in dashboardbuilder DASHBOARD BUILDER – WordPress plugin for Charts and Graphs
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output.
AI Analysis
Technical Summary
The DASHBOARD BUILDER WordPress plugin for Charts and Graphs suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-14615, classified under CWE-352. The root cause is the absence of nonce validation in the settings handler located in dashboardbuilder-admin.php, which processes configuration changes. This flaw allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (via clicking a link or visiting a malicious page), modifies the plugin’s stored SQL query and database credentials. The plugin uses these stored queries to generate charts via the [show-dashboardbuilder] shortcode on the front-end. Because the SQL query is user-controllable through the CSRF attack, it enables arbitrary SQL injection, potentially exposing sensitive data through the chart output visible to any site visitor. The vulnerability does not require prior authentication for the attacker but does require user interaction from an administrator. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, with high confidentiality impact and low integrity impact. No patches or exploit code are currently available, but the vulnerability poses a significant risk due to the combination of CSRF and SQL injection in a widely used WordPress plugin.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive data stored in the WordPress database, including potentially personal data protected under GDPR. The ability to modify SQL queries and database credentials could also allow attackers to pivot to further compromise the website or backend systems. Public-facing dashboards could leak confidential business intelligence or customer information. The attack requires tricking an administrator, so organizations with less security awareness or lacking multi-factor authentication on admin accounts are at higher risk. Compromise could damage reputation, lead to regulatory fines, and disrupt business operations. Given WordPress’s popularity in Europe and the widespread use of dashboard plugins for reporting, the threat is significant especially for sectors like finance, healthcare, and public services that rely on data visualization tools.
Mitigation Recommendations
Immediate mitigation steps include disabling or uninstalling the DASHBOARD BUILDER plugin until a patch is released. Administrators should be trained to avoid clicking on suspicious links and to verify requests that change plugin settings. Implementing Web Application Firewall (WAF) rules to detect and block CSRF attempts targeting dashboardbuilder-admin.php can reduce risk. Enforce strict administrator session management with multi-factor authentication to limit the impact of social engineering. Regularly audit and monitor database queries and plugin configurations for unauthorized changes. Site owners should subscribe to vendor and security mailing lists to apply patches promptly once available. Additionally, consider restricting access to the WordPress admin panel by IP whitelisting or VPN to reduce exposure. Finally, review and harden SQL permissions to limit the scope of potential injection damage.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
CVE-2025-14615: CWE-352 Cross-Site Request Forgery (CSRF) in dashboardbuilder DASHBOARD BUILDER – WordPress plugin for Charts and Graphs
Description
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output.
AI-Powered Analysis
Technical Analysis
The DASHBOARD BUILDER WordPress plugin for Charts and Graphs suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-14615, classified under CWE-352. The root cause is the absence of nonce validation in the settings handler located in dashboardbuilder-admin.php, which processes configuration changes. This flaw allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (via clicking a link or visiting a malicious page), modifies the plugin’s stored SQL query and database credentials. The plugin uses these stored queries to generate charts via the [show-dashboardbuilder] shortcode on the front-end. Because the SQL query is user-controllable through the CSRF attack, it enables arbitrary SQL injection, potentially exposing sensitive data through the chart output visible to any site visitor. The vulnerability does not require prior authentication for the attacker but does require user interaction from an administrator. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, with high confidentiality impact and low integrity impact. No patches or exploit code are currently available, but the vulnerability poses a significant risk due to the combination of CSRF and SQL injection in a widely used WordPress plugin.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive data stored in the WordPress database, including potentially personal data protected under GDPR. The ability to modify SQL queries and database credentials could also allow attackers to pivot to further compromise the website or backend systems. Public-facing dashboards could leak confidential business intelligence or customer information. The attack requires tricking an administrator, so organizations with less security awareness or lacking multi-factor authentication on admin accounts are at higher risk. Compromise could damage reputation, lead to regulatory fines, and disrupt business operations. Given WordPress’s popularity in Europe and the widespread use of dashboard plugins for reporting, the threat is significant especially for sectors like finance, healthcare, and public services that rely on data visualization tools.
Mitigation Recommendations
Immediate mitigation steps include disabling or uninstalling the DASHBOARD BUILDER plugin until a patch is released. Administrators should be trained to avoid clicking on suspicious links and to verify requests that change plugin settings. Implementing Web Application Firewall (WAF) rules to detect and block CSRF attempts targeting dashboardbuilder-admin.php can reduce risk. Enforce strict administrator session management with multi-factor authentication to limit the impact of social engineering. Regularly audit and monitor database queries and plugin configurations for unauthorized changes. Site owners should subscribe to vendor and security mailing lists to apply patches promptly once available. Additionally, consider restricting access to the WordPress admin panel by IP whitelisting or VPN to reduce exposure. Finally, review and harden SQL permissions to limit the scope of potential injection damage.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-12T20:47:27.527Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69672e008330e067168f3fe2
Added to database: 1/14/2026, 5:47:44 AM
Last enriched: 1/14/2026, 6:03:15 AM
Last updated: 1/14/2026, 6:29:59 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-22819: CWE-366: Race Condition within a Thread in akinloluwami outray
MediumCVE-2026-23477: CWE-269: Improper Privilege Management in RocketChat Rocket.Chat
HighCVE-2025-70747: n/a
HighCVE-2025-63644: n/a
HighCVE-2025-71021: n/a
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.