{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10377", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-12T16:21:12.683Z", "datePublished": "2025-09-26T03:25:35.336Z", "dateUpdated": "2026-04-08T17:30:58.728Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:58.728Z"}, "affected": [{"vendor": "qriouslad", "product": "System Dashboard", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8.20", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "System Dashboard <= 2.8.20 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea38e16f-4012-4d22-9a47-76f91251e1d7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.20/admin/class-system-dashboard-admin.php#L9108"}, {"url": "https://plugins.trac.wordpress.org/changeset/3364295/system-dashboard/tags/2.8.21/admin/class-system-dashboard-admin.php?old=3253979&old_path=system-dashboard%2Ftags%2F2.8.20%2Fadmin%2Fclass-system-dashboard-admin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "\u0110\u1ed7 Quang Huy"}], "timeline": [{"time": "2025-09-25T14:44:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-26T19:33:50.821646Z", "id": "CVE-2025-10377", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:34:03.486Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-26T19:33:50.821646Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:33:57.784Z"}}], "cna": {"title": "System Dashboard <= 2.8.20 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "\u0110\u1ed7 Quang Huy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "qriouslad", "product": "System Dashboard", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.8.20"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-25T14:44:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea38e16f-4012-4d22-9a47-76f91251e1d7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.20/admin/class-system-dashboard-admin.php#L9108"}, {"url": "https://plugins.trac.wordpress.org/changeset/3364295/system-dashboard/tags/2.8.21/admin/class-system-dashboard-admin.php?old=3253979&old_path=system-dashboard%2Ftags%2F2.8.20%2Fadmin%2Fclass-system-dashboard-admin.php"}], "descriptions": [{"lang": "en", "value": "The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:58.728Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10377", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:58.728Z", "dateReserved": "2025-09-12T16:21:12.683Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-26T03:25:35.336Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-10377", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-26T04:15:54.603", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.20/admin/class-system-dashboard-admin.php#L9108"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3364295/system-dashboard/tags/2.8.21/admin/class-system-dashboard-admin.php?old=3253979&old_path=system-dashboard%2Ftags%2F2.8.20%2Fadmin%2Fclass-system-dashboard-admin.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea38e16f-4012-4d22-9a47-76f91251e1d7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:48:09.456961+00:00", "value": {"mitigation_remediation": ["Upgrade the System Dashboard plugin to version 2.8.21 or newer where nonce validation has been added to the logging toggle function.", "If immediate upgrade is not possible, remove or restrict the capability that allows toggling logs from the administrator role until the patch is applied.", "Configure a web application firewall or security plugin to block or flag unexpected POST requests to the log toggle endpoint that lack a valid nonce, mitigating accidental CSRF execution.", "As a temporary measure, disable critical logging features in the WordPress settings or via a custom plugin to prevent loss of audit data until the vulnerability is fully remediated."], "summary": {"action": "Apply patch", "impact": "Log configuration tampering via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the System Dashboard plugin developed by qriouslad. All releases up to and including version 2.8.20 are impacted. Specifically, any WordPress installation running System Dashboard 2.8.20 or earlier is at risk when an administrator has the option to access the admin logging toggle interface.", "description_and_impact": "The System Dashboard WordPress plugin exposes a function to toggle logging settings without validating a nonce. This lack of protection allows an attacker to send a forged request that, when an administrator follows a malicious link, changes the state of critical logs including Page Access Logs, Error Logs, and Email Delivery Logs. By disabling or altering these logs, an attacker can erase evidence of other malicious activity, undermining forensic investigations and monitoring capabilities. The weakness is a classic Cross\u2011Site Request Forgery, identified as CWE\u2011352, and it permits unauthorized configuration changes but does not provide code execution or direct data exfiltration.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate risk level, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited active exploitation. An attacker would need to entice a site administrator to click a crafted link or form, relying on social engineering to trigger a CSRF request. Because the attack requires the victim to be authenticated, the threat surface is confined to trusted admin accounts; however, the damage potential lies in disabling crucial logging that supports incident response."}}}}, "created": "2025-09-26T11:35:27.625790+00:00", "updated": "2026-04-21T03:00:06.373819+00:00", "vendors": ["bowo", "bowo$PRODUCT$system_dashboard", "wordpress", "wordpress$PRODUCT$wordpress"]}