CVE-2023-5713 — Missing Authorization in System Dashboard

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 48.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qriouslad System Dashboard Bowo System Dashboard

Timeline

PublishedDec 7

Latest updateApr 11

Description

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve potentially sensitive option values, and deserialize the content of those values.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDbowo/system_dashboard2.8.7

▶CVEListV5qriouslad/system_dashboard2.8.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

VulDB

System Dashboard Plugin up to 2.8.7 on WordPress sd_option_value authorization↗2026-04-11

▶

CVEList

System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_option_value)↗2023-12-07

▶

GHSA

GHSA-mgjw-x57p-2wmf: The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() func↗2023-12-07

▶