Platform
wordpress
Component
dashboard-builder
Fixed in
1.5.8
CVE-2025-14615 describes a SQL Injection vulnerability discovered in the DASHBOARD BUILDER – WordPress plugin for Charts and Graphs. This flaw allows unauthenticated attackers to manipulate SQL queries and database credentials, potentially compromising sensitive data. The vulnerability impacts versions 1.0.0 through 1.5.7, and a fix is expected to be released by the plugin developer.
The SQL Injection vulnerability in DASHBOARD BUILDER allows an attacker to inject malicious SQL code into database queries. By crafting a forged request, an attacker can trick a site administrator into executing this code, potentially gaining unauthorized access to the database. This could lead to the theft of sensitive information such as user credentials, financial data, or other confidential records. Furthermore, successful exploitation could allow the attacker to modify or delete data within the database, disrupting the functionality of the WordPress site. The impact is amplified if the database contains personally identifiable information (PII) or other regulated data, potentially leading to compliance violations and legal repercussions.
CVE-2025-14615 was publicly disclosed on 2026-01-14. The vulnerability is present in a widely used WordPress plugin, increasing the potential attack surface. While no public proof-of-concept (PoC) has been released as of this writing, the ease of exploiting SQL Injection vulnerabilities suggests a high probability of exploitation if a PoC is developed. The EPSS score is likely to be medium or high, reflecting the potential for widespread exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14615 is to upgrade to a patched version of the DASHBOARD BUILDER plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter out malicious SQL injection attempts. Specifically, rules should be created to block requests containing suspicious SQL syntax. Additionally, restrict access to the plugin's settings handler (dashboardbuilder-admin.php) to authorized administrators only. After upgrading, verify the fix by attempting to inject a simple SQL query through the plugin's shortcode and confirming that it is properly sanitized.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14615 is a SQL Injection vulnerability affecting the DASHBOARD BUILDER WordPress plugin, allowing attackers to manipulate database queries through forged requests.
If you are using the DASHBOARD BUILDER plugin in versions 1.0.0 through 1.5.7, you are potentially affected by this vulnerability.
Upgrade to the latest version of the DASHBOARD BUILDER plugin as soon as a patch is released. Until then, implement WAF rules and restrict access to the plugin's settings handler.
While no active exploitation has been confirmed, the ease of exploiting SQL Injection vulnerabilities suggests a high probability of exploitation.
Refer to the DASHBOARD BUILDER plugin developer's website or WordPress.org plugin page for the official advisory and patch release.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.