Plattform
wordpress
Komponente
dashboard-builder
Behoben in
1.5.8
CVE-2025-14615 describes a SQL Injection vulnerability discovered in the DASHBOARD BUILDER – WordPress plugin for Charts and Graphs. This flaw allows unauthenticated attackers to manipulate SQL queries and database credentials, potentially compromising sensitive data. The vulnerability impacts versions 1.0.0 through 1.5.7, and a fix is expected in a future plugin release.
The SQL Injection vulnerability in DASHBOARD BUILDER allows an attacker to execute arbitrary SQL queries against the WordPress database. This can lead to a wide range of malicious activities, including data exfiltration (stealing user credentials, financial information, or other sensitive data), data modification (altering website content or user profiles), and even complete database takeover. Successful exploitation hinges on tricking a site administrator into clicking a malicious link containing a forged request. The ability to modify database credentials elevates the risk significantly, potentially granting the attacker persistent access to the entire WordPress installation.
CVE-2025-14615 was publicly disclosed on 2026-01-14. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the ease of crafting forged requests suggest a moderate risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the DASHBOARD BUILDER plugin, particularly those with shared hosting environments, are at risk. Sites with weak administrator password policies or those that haven't implemented proper access controls are especially vulnerable. Legacy WordPress installations running older versions of PHP may also be more susceptible due to potential differences in SQL query parsing.
• wordpress / composer / npm:
grep -r "dashboardbuilder-admin.php" /var/www/html/• wordpress / composer / npm:
wp plugin list | grep DASHBOARD BUILDER• wordpress / composer / npm:
wp plugin update --all• generic web: Check for unusual database activity in WordPress error logs, specifically related to SQL queries originating from the DASHBOARD BUILDER plugin.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14615 is to upgrade to a patched version of the DASHBOARD BUILDER plugin once available. In the interim, implement a Web Application Firewall (WAF) with rules to filter out potentially malicious requests targeting the dashboardbuilder-admin.php file. Specifically, look for requests containing unusual SQL syntax or attempts to manipulate database credentials. Consider temporarily disabling the [show-dashboardbuilder] shortcode to reduce the attack surface. After applying any mitigation, verify its effectiveness by attempting to trigger the vulnerability with a controlled test request.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle im Detail und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihres Unternehmens um. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14615 is a SQL Injection vulnerability affecting the DASHBOARD BUILDER WordPress plugin, allowing attackers to manipulate database queries through forged requests.
If you are using the DASHBOARD BUILDER plugin in versions 1.0.0 through 1.5.7, you are potentially affected by this vulnerability.
Upgrade to the latest version of the DASHBOARD BUILDER plugin as soon as a patch is released. Until then, implement WAF rules and restrict access to the plugin's settings handler.
While no active exploitation has been confirmed, the ease of exploiting SQL Injection vulnerabilities suggests a high probability of exploitation.
Refer to the DASHBOARD BUILDER plugin developer's website or WordPress.org plugin page for the official advisory and patch release.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.