The DASHBOARD BUILDER WordPress plugin for Charts and Graphs suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-14615, classified under CWE-352. This vulnerability exists in all versions up to and including 1.5.7 due to the absence of nonce validation in the settings handler located in dashboardbuilder-admin.php. Nonce validation is a critical security control in WordPress to prevent unauthorized state-changing requests. Because this validation is missing, an attacker can craft a malicious request that, when an authenticated site administrator unknowingly triggers (e.g., by clicking a link), causes the plugin to update its stored SQL query and database credentials. The plugin uses these stored queries to generate charts and graphs via the [show-dashboardbuilder] shortcode. By modifying these queries, the attacker can inject arbitrary SQL commands, which are executed on the front-end when the shortcode renders. This leads to SQL injection, allowing unauthorized data access and exfiltration through the publicly visible chart output. The vulnerability requires user interaction (the administrator must trigger the forged request) but does not require the attacker to be authenticated. The CVSS v3.1 base score is 7.1, reflecting high severity due to network attack vector, low attack complexity, no privileges required, user interaction needed, and high confidentiality impact. Integrity impact is low, and availability is unaffected. No patches or exploits are currently publicly available, but the risk remains significant given the plugin's functionality and the potential for sensitive data leakage.

This vulnerability poses a significant risk to organizations using the DASHBOARD BUILDER WordPress plugin, especially those displaying sensitive or proprietary data via charts and graphs. Successful exploitation can lead to unauthorized modification of SQL queries and database credentials, resulting in arbitrary SQL injection attacks. This can compromise the confidentiality of the underlying database by exposing sensitive information through the plugin's front-end output. Data exfiltration through publicly visible charts can lead to data breaches, regulatory non-compliance, and reputational damage. Since the attack requires tricking an administrator, organizations with less security-aware admins or lacking multi-factor authentication are at higher risk. The integrity of the data is partially impacted due to possible query manipulation, but availability remains unaffected. The vulnerability could be leveraged as a foothold for further attacks if database credentials are altered or exposed. Overall, the threat affects the confidentiality and integrity of data and could have severe consequences for organizations relying on this plugin for business intelligence or reporting.

To mitigate this vulnerability, organizations should immediately implement the following specific actions: 1) Disable or remove the DASHBOARD BUILDER plugin until a patched version is released. 2) Monitor and restrict administrator access to trusted personnel only, minimizing the risk of social engineering. 3) Educate administrators about the risks of clicking unknown or suspicious links, especially when logged into WordPress admin. 4) Implement Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting dashboardbuilder-admin.php or related endpoints. 5) Audit and review all stored SQL queries and database credentials configured in the plugin for unauthorized changes. 6) If possible, isolate the plugin's database user with minimal privileges to limit the impact of SQL injection. 7) Regularly back up WordPress site data and configurations to enable recovery from potential compromise. 8) Monitor logs for unusual activity related to the plugin's shortcode rendering or admin settings changes. 9) Once available, promptly apply official patches or updates from the plugin vendor addressing nonce validation. 10) Consider implementing Content Security Policy (CSP) and other browser-side protections to reduce the risk of CSRF attacks. These targeted measures go beyond generic advice by focusing on the plugin's specific attack vectors and operational context.