CVE-2025-14615
Published: 14 January 2026
Summary
CVE-2025-14615 is a high-severity CSRF (CWE-352) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Deeper analysis
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs, in all versions up to and including 1.5.7, is affected by CVE-2025-14615, a Cross-Site Request Forgery (CSRF) vulnerability stemming from missing nonce validation on the settings handler in dashboardbuilder-admin.php. This flaw enables modification of the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) and is associated with CWE-352.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link, which triggers a forged request to alter the plugin's settings. The modified SQL query is then executed on the front-end when the shortcode is rendered in a publicly accessible chart, allowing arbitrary SQL injection and data exfiltration through the visible output.
Advisories reference the vulnerable code directly via WordPress plugin trac links, including dashboardbuilder-admin.php at line 158 and dashboardbuilder.php at line 51 in both the 1.5.7 tag and trunk. The Wordfence threat intelligence page provides further details on the issue, identified by vulnerability ID 106b31ed-d509-4551-a134-02193ab22fe1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2550
Vulnerability details
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php.…
more
This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WordPress plugin directly enables exploitation of the web application to achieve SQL injection and data exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces that the settings handler in dashboardbuilder-admin.php only accepts authenticated, authorized requests, directly blocking the forged CSRF that alters SQL queries and credentials.
Restricts which principals may modify plugin configuration (SQL query and DB credentials), preventing the unauthorized change that the missing nonce allows.
Requires validation of the nonce token on every settings POST, rejecting the forged request before the stored query can be updated and later executed via the shortcode.