CVE-2023-5710 — Missing Authorization in System Dashboard

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 58.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qriouslad System Dashboard Bowo System Dashboard

Timeline

PublishedDec 7

Latest updateApr 11

Description

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information such as database credentials.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDbowo/system_dashboard2.8.7

▶CVEListV5qriouslad/system_dashboard2.8.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

VulDB

System Dashboard Plugin up to 2.8.7 on WordPress sd_constants authorization↗2026-04-11

▶

CVEList

System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_constants)↗2023-12-07

▶

GHSA

GHSA-c82g-962c-cx6h: The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() functio↗2023-12-07

▶