{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2276", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-13T10:10:46.649Z", "datePublished": "2025-03-25T23:22:00.604Z", "dateUpdated": "2026-04-08T17:35:26.004Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:26.004Z"}, "affected": [{"vendor": "davidvongries", "product": "Ultimate Dashboard \u2013 Custom WordPress Dashboard", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ultimate Dashboard \u2013 Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules."}], "title": "Ultimate Dashboard <= 3.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffee6564-2718-4461-b481-cbf0e204a04d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-dashboard/tags/3.8.7/modules/feature/class-feature-module.php#L118"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-03-10T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-03-25T11:05:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-26T14:49:50.843311Z", "id": "CVE-2025-2276", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T14:49:55.004Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2276", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-26T14:49:50.843311Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T14:49:42.091Z"}}], "cna": {"title": "Ultimate Dashboard <= 3.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "davidvongries", "product": "Ultimate Dashboard \u2013 Custom WordPress Dashboard", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.8.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-10T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-03-25T11:05:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffee6564-2718-4461-b481-cbf0e204a04d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-dashboard/tags/3.8.7/modules/feature/class-feature-module.php#L118"}], "descriptions": [{"lang": "en", "value": "The Ultimate Dashboard \u2013 Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:26.004Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2276", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:35:26.004Z", "dateReserved": "2025-03-13T10:10:46.649Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-25T23:22:00.604Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Dashboard \u2013 Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules."}, {"lang": "es", "value": "El complemento Ultimate Dashboard \u2013 Custom WordPress Dashboard para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n handle_module_actions en todas las versiones hasta la 3.8.7 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, activen o desactiven los m\u00f3dulos del complemento."}], "id": "CVE-2025-2276", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-26T00:15:13.440", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-dashboard/tags/3.8.7/modules/feature/class-feature-module.php#L118"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffee6564-2718-4461-b481-cbf0e204a04d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:29:50.019819+00:00", "value": {"mitigation_remediation": ["Upgrade Ultimate Dashboard to a version newer than 3.8.7 that includes the missing capability check.", "Restrict the Subscriber role from capabilities that allow configuration of plugin modules, such as \"activate_plugins\" or equivalent custom capabilities used by Ultimate Dashboard.", "Audit other WordPress plugins for missing capability checks to prevent similar privilege escalation attacks."], "summary": {"action": "Apply Patch", "impact": "Unauthorized activation or deactivation of plugin modules by subscribers and higher roles"}, "threat_synthesis": {"affected_systems": "The affected product is the Ultimate Dashboard \u2013 Custom WordPress Dashboard plugin developed by David Vongries. Versions up to and including 3.8.7 are vulnerable. No other products or versions are listed.\n", "description_and_impact": "The vulnerability originates from a missing capability check in the handle_module_actions function of the Ultimate Dashboard \u2013 Custom WordPress Dashboard plugin. Because this check is absent, any authenticated user with at least Subscriber\u2011level access can toggle the activation state of individual plugin modules. This grants the attacker the ability to change the functionality of the site, potentially enabling legacy or experimental modules, disabling critical features, or altering the user experience in ways that a site administrator might not intend. The formal weakness is classified as CWE\u2011862, indicating an unauthorized modification due to improper access control. The direct impact is a loss of control over which modules are active, undermining the site\u2019s intended behavior and integrity.\n", "risk_and_exploitability": "The CVSS score of 4.3 places the flaw in the moderate range, reflecting that while the attacker must be authenticated, the lack of an authorization check materially affects configuration. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the authenticated WordPress interface, where a user with Subscriber or higher role can invoke the module activation endpoint. No public exploit is reported, and the exploitability is limited to sites that have not applied the latest plugin release."}}}}, "created": "2026-04-20T23:30:16.127803+00:00", "updated": "2026-04-20T23:30:16.127820+00:00", "vendors": []}