CVE-2025-2276Missing Authorization in Ultimate Dashboard Custom Wordpress Dashboard

CWE-862Missing Authorization3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 74.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Davidvongries Ultimate Dashboard Custom Wordpress Dashboard
Timeline
PublishedMar 26

Description

The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-2phh-fpc3-4x9w: The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capabilit2025-03-26
CVEList
Ultimate Dashboard <= 3.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation2025-03-25
CVE-2025-2276 — Missing Authorization | cvebase