Cross-Site Request Forgery in Dashboard Builder Plugin for WordPress
CVE-2025-14615

7.1HIGH

Key Information:

Vendor: WordPress
Status: Dashboard Builder – WordPress Plugin For Charts And Graphs
Vendor: CVE Published:; 14 January 2026

What is CVE-2025-14615?

The Dashboard Builder plugin for WordPress is prone to a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in its settings handler. This flaw allows unauthenticated attackers to manipulate the SQL query and database credentials used by the shortcode [show-dashboardbuilder]. By tricking an administrator into performing unwanted actions, attackers can execute modified SQL queries upon rendering the shortcode, leading to potential SQL injection and unauthorized data access through visible chart outputs.

Affected Version(s)

DASHBOARD BUILDER – WordPress plugin for Charts and Graphs * <= 1.5.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/dashboard-buil...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 14, 2026
Vulnerability Reserved
Dec 12, 2025

Credit

omer yeshayahu

JSON