PT-2025-12835 · WordPress · The Ultimate Dashboard – Custom Wordpress Dashboard

Michael Mazzolini

Published

2025-03-25

Updated

2025-03-26

CVE-2025-2276

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions The Ultimate Dashboard – Custom WordPress Dashboard plugin versions up to, and including, 3.8.7

Description The issue is related to unauthorized modification of data due to a missing capability check on the handle module actions function. This allows authenticated attackers with Subscriber-level access and above to activate or deactivate plugin modules.

Recommendations For versions up to, and including, 3.8.7, update to a version that includes a fix for the missing capability check in the handle module actions function. As a temporary workaround, consider restricting access to the handle module actions function to prevent unauthorized modification of data.

Fix

LPE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-2276

Affected Products

The Ultimate Dashboard – Custom Wordpress Dashboard

PT-2025-12835 · WordPress · The Ultimate Dashboard – Custom Wordpress Dashboard

CVE-2025-2276

Weakness Enumeration

Related Identifiers

Affected Products

References · 7