CVE-2023-5714 — Missing Authorization in System Dashboard

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 58.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qriouslad System Dashboard Bowo System Dashboard

Timeline

PublishedDec 7

Latest updateApr 11

Description

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDbowo/system_dashboard2.8.7

▶CVEListV5qriouslad/system_dashboard2.8.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

VulDB

System Dashboard Plugin up to 2.8.7 on WordPress sd_db_specs authorization↗2026-04-11

▶

GHSA

GHSA-7hj5-pcgr-frg2: The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function↗2023-12-07

▶

CVEList

System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_db_specs)↗2023-12-07

▶