📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global ransomware Multiple sectors CRITICAL 30m Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 1h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 2h Global general Consumer Electronics and Retail MEDIUM 4h Global supply_chain Software Development and Technology HIGH 4h Global general Artificial Intelligence and Software Development LOW 5h Global general Artificial Intelligence and Cybersecurity MEDIUM 5h Global malware Software Development / Technology HIGH 6h Global vulnerability Information Technology HIGH 6h Global data_breach Water Utilities / Critical Infrastructure HIGH 6h Global ransomware Multiple sectors CRITICAL 30m Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 1h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 2h Global general Consumer Electronics and Retail MEDIUM 4h Global supply_chain Software Development and Technology HIGH 4h Global general Artificial Intelligence and Software Development LOW 5h Global general Artificial Intelligence and Cybersecurity MEDIUM 5h Global malware Software Development / Technology HIGH 6h Global vulnerability Information Technology HIGH 6h Global data_breach Water Utilities / Critical Infrastructure HIGH 6h Global ransomware Multiple sectors CRITICAL 30m Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 1h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 2h Global general Consumer Electronics and Retail MEDIUM 4h Global supply_chain Software Development and Technology HIGH 4h Global general Artificial Intelligence and Software Development LOW 5h Global general Artificial Intelligence and Cybersecurity MEDIUM 5h Global malware Software Development / Technology HIGH 6h Global vulnerability Information Technology HIGH 6h Global data_breach Water Utilities / Critical Infrastructure HIGH 6h
Vulnerabilities

CVE-2025-14615

High
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonc
CWE-352 — Weakness Type
Published: Jan 14, 2026  ·  Modified: Feb 28, 2026  ·  Source: NVD
CVSS v3
7.1
🔗 NVD Official
📄 Description (English)

The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output.

🤖 AI Executive Summary

The DASHBOARD BUILDER WordPress plugin (versions ≤1.5.7) contains a critical CSRF vulnerability allowing unauthenticated attackers to modify SQL queries and database credentials through forged requests. When an admin is tricked into clicking a malicious link, attackers can inject arbitrary SQL commands that execute on the front-end, leading to unauthorized data exfiltration via publicly visible charts. This vulnerability combines CSRF with SQL injection, creating a severe risk for WordPress sites storing sensitive data.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 10, 2026 03:33
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress for business intelligence dashboards face significant risk, particularly in: Banking sector (SAMA-regulated institutions) storing financial data and transaction records; Government agencies (NCA oversight) managing citizen data and administrative information; Healthcare providers (MOH-regulated) handling patient records; Energy sector (ARAMCO, utilities) managing operational metrics; Telecommunications (STC, Mobily) tracking customer and network data. The vulnerability enables attackers to exfiltrate sensitive data through publicly accessible chart outputs, bypassing normal access controls. Saudi organizations relying on WordPress for dashboard analytics are particularly vulnerable if administrators lack security awareness training.
🏢 Affected Saudi Sectors
Banking & Financial Services Government & Public Administration Healthcare & Medical Services Energy & Utilities Telecommunications E-commerce & Retail Education & Research
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Update DASHBOARD BUILDER plugin to version 1.5.8 or later immediately

2. Audit all dashboard shortcodes and verify SQL queries for unauthorized modifications

3. Review database access logs for suspicious query patterns

4. Check chart outputs for unexpected data exposure



PATCHING GUIDANCE:

1. Backup WordPress database and files before updating

2. Update plugin through WordPress admin dashboard or manually upload patched version

3. Test all dashboards post-update to ensure functionality

4. Verify nonce validation is present in updated version



COMPENSATING CONTROLS (if immediate patching delayed):

1. Disable the [show-dashboardbuilder] shortcode on all pages until patched

2. Restrict admin dashboard access to specific IP ranges

3. Implement Web Application Firewall (WAF) rules to block suspicious POST requests to dashboardbuilder-admin.php

4. Require multi-factor authentication for all WordPress administrators

5. Implement Content Security Policy (CSP) headers to prevent CSRF attacks



DETECTION RULES:

1. Monitor POST requests to /wp-admin/admin.php with dashboardbuilder parameters

2. Alert on modifications to dashboard settings without corresponding admin session logs

3. Track changes to SQL queries stored in wp_options table

4. Monitor for unusual database credentials in plugin configuration

5. Log all shortcode rendering with SQL query parameters for audit trail
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تحديث مكون DASHBOARD BUILDER إلى الإصدار 1.5.8 أو أحدث فوراً

2. تدقيق جميع اختصارات لوحة المعلومات والتحقق من استعلامات SQL للتعديلات غير المصرح بها

3. مراجعة سجلات الوصول إلى قاعدة البيانات للبحث عن أنماط الاستعلامات المريبة

4. التحقق من مخرجات الرسوم البيانية لتسرب البيانات غير المتوقع



إرشادات التصحيح:

1. عمل نسخة احتياطية من قاعدة بيانات WordPress والملفات قبل التحديث

2. تحديث المكون من خلال لوحة تحكم WordPress أو تحميل الإصدار المصحح يدويًا

3. اختبار جميع لوحات المعلومات بعد التحديث للتأكد من الوظائف

4. التحقق من وجود التحقق من nonce في الإصدار المحدث



الضوابط البديلة (إذا تأخر التصحيح الفوري):

1. تعطيل اختصار [show-dashboardbuilder] على جميع الصفحات حتى يتم التصحيح

2. تقييد الوصول إلى لوحة تحكم WordPress على نطاقات IP محددة

3. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر طلبات POST المريبة إلى dashboardbuilder-admin.php

4. طلب المصادقة متعددة العوامل لجميع مسؤولي WordPress

5. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع هجمات CSRF



قواعد الكشف:

1. مراقبة طلبات POST إلى /wp-admin/admin.php مع معاملات dashboardbuilder

2. التنبيه على تعديلات إعدادات لوحة المعلومات بدون سجلات جلسة مسؤول مقابلة

3. تتبع التغييرات على استعلامات SQL المخزنة في جدول wp_options

4. مراقبة بيانات اعتماد قاعدة البيانات غير العادية في تكوين المكون

5. تسجيل جميع عمليات عرض الاختصار مع معاملات استعلام SQL لمسار التدقيق
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures A.6.1.2 - Access control and authentication mechanisms A.7.1.1 - Event logging and monitoring A.8.2.1 - User access management A.12.4.1 - Event logging requirements
🔵 SAMA CSF
Governance & Risk Management - Security governance and risk assessment Information & Cybersecurity - Data protection and access controls Resilience & Recovery - Incident detection and response Third-Party Risk Management - Vendor security assessment
🟡 ISO 27001:2022
5.3 - Access control 6.5.2 - Secure development policy 8.2.1 - User registration and access rights 8.3.1 - User access provisioning 8.3.2 - Access rights review 8.3.3 - Password management 8.3.4 - Review of user access rights
🟣 PCI DSS v4.0.1
Requirement 6.5.9 - Protection against cross-site request forgery (CSRF) Requirement 6.5.1 - Injection flaws prevention Requirement 8.1 - Assign unique ID to each person with computer access
📊 CVSS Score
7.1
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredN — None / Network
User InteractionR — Required
ScopeU — Unchanged
ConfidentialityH — High
IntegrityL — Low / Local
AvailabilityN — None / Network
📋 Quick Facts
Severity High
CVSS Score7.1
CWECWE-352
EPSS0.01%
Exploit No
Patch ✓ Yes
Published 2026-01-14
Source Feed nvd
Views 5
🇸🇦 Saudi Risk Score
8.2
/ 10.0 — Saudi Risk
Priority: CRITICAL
🏷️ Tags
CWE-352
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.