CVE-2025-2276

Vulnerability

The Ultimate Dashboard – Custom WordPress Dashboard plugin versions up to and including 3.8.7 contain a missing capability check in the handle_module_actions function within class-feature-module.php [1]. This function is registered via AJAX as wp_ajax_udb_handle_module_actions and is intended for authorized users, but it fails to verify that the requester has the required permissions (e.g., manage_options) before processing module activation or deactivation.

Exploitation

An authenticated attacker with Subscriber-level access or higher can exploit this vulnerability by sending a crafted POST request to the AJAX endpoint. The request includes a nonce for CSRF protection, but the function does not perform a capability check after verifying the nonce. Thus, any authenticated user can call handle_module_actions to toggle the active state of any plugin module.

Impact

Successful exploitation allows the attacker to arbitrarily enable or disable dashboard modules. This can lead to unauthorized modification of the plugin's settings, potentially hiding or exposing features, or causing disruption to the dashboard functionality. No privilege escalation or data disclosure is directly involved, but the integrity of the plugin's configuration is compromised.

Mitigation

The vendor has released a patch in version 3.8.8 (or later). Users are strongly advised to update to the latest version available. As of the publication date, no workaround is documented, but restricting access to the AJAX endpoint via other means (e.g., custom capabilities) may be considered.