{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14615", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-12T20:47:27.527Z", "datePublished": "2026-01-14T05:28:03.897Z", "dateUpdated": "2026-04-08T16:35:58.593Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:58.593Z"}, "affected": [{"vendor": "dashboardbuilder", "product": "DASHBOARD BUILDER \u2013 WordPress plugin for Charts and Graphs", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The DASHBOARD BUILDER \u2013 WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output."}], "title": "DASHBOARD BUILDER <= 1.5.7 - Cross-Site Request Forgery to SQL Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "omer yeshayahu"}], "timeline": [{"time": "2026-01-13T17:22:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T15:45:18.431190Z", "id": "CVE-2025-14615", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T19:17:25.639Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14615", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T15:45:18.431190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T15:45:20.634Z"}}], "cna": {"title": "DASHBOARD BUILDER <= 1.5.7 - Cross-Site Request Forgery to SQL Injection", "credits": [{"lang": "en", "type": "finder", "value": "omer yeshayahu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"}}], "affected": [{"vendor": "dashboardbuilder", "product": "DASHBOARD BUILDER \u2013 WordPress plugin for Charts and Graphs", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-13T17:22:32.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51"}], "descriptions": [{"lang": "en", "value": "The DASHBOARD BUILDER \u2013 WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-14T05:28:03.897Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14615", "state": "PUBLISHED", "dateUpdated": "2026-01-14T19:17:25.639Z", "dateReserved": "2025-12-12T20:47:27.527Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T05:28:03.897Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DASHBOARD BUILDER \u2013 WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output."}, {"lang": "es", "value": "El plugin de WordPress DASHBOARD BUILDER \u2013 plugin para Gr\u00e1ficos y Cuadros es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.5.7, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en el manejador de configuraciones en dashboardbuilder-admin.php. Esto hace posible que atacantes no autenticados modifiquen la consulta SQL almacenada y las credenciales de la base de datos utilizadas por el shortcode [show-dashboardbuilder] a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace. La consulta SQL modificada se ejecuta posteriormente en el front-end cuando se renderiza el shortcode, lo que permite la inyecci\u00f3n SQL arbitraria y la exfiltraci\u00f3n de datos a trav\u00e9s de la salida del gr\u00e1fico visible p\u00fablicamente."}], "id": "CVE-2025-14615", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T06:15:53.050", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:11:11.831287+00:00", "value": {"mitigation_remediation": ["Upgrade Dashboard Builder to the latest available version, which implements proper nonce validation and removes the ability to modify stored queries through the settings page.", "If an upgrade cannot be performed immediately, deactivate or remove the [show\u2011dashboardbuilder] shortcode from all pages and posts until the plugin is patched, preventing the execution of potentially unsafe queries.", "Restrict the database privileges granted to the plugin's database user to the minimum required (e.g., SELECT only), limiting damage if an injection occurs."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection via CSRF"}, "threat_synthesis": {"affected_systems": "All WordPress sites with the Dashboard Builder plugin v1.5.7 or earlier are affected. The vendor is a WordPress plugin called Dashboard Builder \u2013 WordPress plugin for Charts and Graphs. No other software, OS or core WordPress versions are specified, so the impact applies to every installation that has not moved beyond 1.5.7.", "description_and_impact": "The DASHBOARD BUILDER WordPress plugin contains a Cross\u2011Site Request Forgery vulnerability in versions up to 1.5.7. Because the settings handler does not validate a nonce, an attacker can send a forged request that an administrator will accept. This can change the plugin's stored SQL query and database credentials that the [show\u2011dashboardbuilder] shortcode uses. When the shortcode is rendered on the front\u2011end, the altered query is executed, allowing the attacker to perform arbitrary SQL injection and extract data from the database. The weakness belongs to CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 7.1 signals high severity, while the EPSS score of less than 1\u202f% indicates a low but nonzero likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. An attacker only needs to entice an administrator to visit a crafted link or click a button, and no authentication is required. Successful exploitation grants the ability to inject arbitrary SQL, which can lead to unauthorized data exfiltration or further compromise of database permissions."}}}}, "created": "2026-01-14T10:48:25.891355+00:00", "updated": "2026-04-22T20:15:20.535033+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}