WordPress Plugin Vulnerabilities
Ultimate Dashboard < 3.8.8 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation
Description
The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules.
Affects Plugins
Fixed in 3.8.8 References
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
mikemyers
Verified
No
WPVDB ID
Timeline
Publicly Published
2025-03-25 (about 1 year ago)
Added
2025-03-25 (about 1 year ago)
Last Updated
2025-03-25 (about 1 year ago)
WPScan 