Cyber Resilience

CVE-2025-14615

High

Published: 14 January 2026

Published
14 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score 0.0003 7.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14615 is a high-severity CSRF (CWE-352) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs, in all versions up to and including 1.5.7, is affected by CVE-2025-14615, a Cross-Site Request Forgery (CSRF) vulnerability stemming from missing nonce validation on the settings handler in dashboardbuilder-admin.php. This flaw enables modification of the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) and is associated with CWE-352.

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link, which triggers a forged request to alter the plugin's settings. The modified SQL query is then executed on the front-end when the shortcode is rendered in a publicly accessible chart, allowing arbitrary SQL injection and data exfiltration through the visible output.

Advisories reference the vulnerable code directly via WordPress plugin trac links, including dashboardbuilder-admin.php at line 158 and dashboardbuilder.php at line 51 in both the 1.5.7 tag and trunk. The Wordfence threat intelligence page provides further details on the issue, identified by vulnerability ID 106b31ed-d509-4551-a134-02193ab22fe1.

EU & UK References

Vulnerability details

The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php.…

more

This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF in public-facing WordPress plugin directly enables exploitation of the web application to achieve SQL injection and data exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces that the settings handler in dashboardbuilder-admin.php only accepts authenticated, authorized requests, directly blocking the forged CSRF that alters SQL queries and credentials.

prevent

Restricts which principals may modify plugin configuration (SQL query and DB credentials), preventing the unauthorized change that the missing nonce allows.

prevent

Requires validation of the nonce token on every settings POST, rejecting the forged request before the stored query can be updated and later executed via the shortcode.

References