Plataforma
wordpress
Componente
dashboard-builder
Corregido en
1.5.8
CVE-2025-14615 describes a SQL Injection vulnerability discovered in the DASHBOARD BUILDER – WordPress plugin for Charts and Graphs. This flaw allows unauthenticated attackers to manipulate SQL queries and database credentials, potentially compromising sensitive data. The vulnerability impacts versions 1.0.0 through 1.5.7, and a fix is expected to be released by the plugin developer.
The SQL Injection vulnerability in DASHBOARD BUILDER allows an attacker to inject malicious SQL code into database queries. By crafting a forged request, an attacker can trick a site administrator into executing this code, potentially gaining unauthorized access to the database. This could lead to the theft of sensitive information such as user credentials, financial data, or other confidential records. Furthermore, successful exploitation could allow the attacker to modify or delete data within the database, disrupting the functionality of the WordPress site. The impact is amplified if the database contains personally identifiable information (PII) or other regulated data, potentially leading to compliance violations and legal repercussions.
CVE-2025-14615 was publicly disclosed on 2026-01-14. The vulnerability is present in a widely used WordPress plugin, increasing the potential attack surface. While no public proof-of-concept (PoC) has been released as of this writing, the ease of exploiting SQL Injection vulnerabilities suggests a high probability of exploitation if a PoC is developed. The EPSS score is likely to be medium or high, reflecting the potential for widespread exploitation.
WordPress websites utilizing the DASHBOARD BUILDER plugin, particularly those with shared hosting environments, are at risk. Sites with weak administrator password policies or those that haven't implemented proper access controls are especially vulnerable. Legacy WordPress installations running older versions of PHP may also be more susceptible due to potential differences in SQL query parsing.
• wordpress / composer / npm:
grep -r "dashboardbuilder-admin.php" /var/www/html/• wordpress / composer / npm:
wp plugin list | grep DASHBOARD BUILDER• wordpress / composer / npm:
wp plugin update --all• generic web: Check for unusual database activity in WordPress error logs, specifically related to SQL queries originating from the DASHBOARD BUILDER plugin.
disclosure
Estado del Exploit
EPSS
0.02% (4% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-14615 is to upgrade to a patched version of the DASHBOARD BUILDER plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter out malicious SQL injection attempts. Specifically, rules should be created to block requests containing suspicious SQL syntax. Additionally, restrict access to the plugin's settings handler (dashboardbuilder-admin.php) to authorized administrators only. After upgrading, verify the fix by attempting to inject a simple SQL query through the plugin's shortcode and confirming that it is properly sanitized.
No hay un parche conocido disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-14615 is a SQL Injection vulnerability affecting the DASHBOARD BUILDER WordPress plugin, allowing attackers to manipulate database queries through forged requests.
If you are using the DASHBOARD BUILDER plugin in versions 1.0.0 through 1.5.7, you are potentially affected by this vulnerability.
Upgrade to the latest version of the DASHBOARD BUILDER plugin as soon as a patch is released. Until then, implement WAF rules and restrict access to the plugin's settings handler.
While no active exploitation has been confirmed, the ease of exploiting SQL Injection vulnerabilities suggests a high probability of exploitation.
Refer to the DASHBOARD BUILDER plugin developer's website or WordPress.org plugin page for the official advisory and patch release.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.