System Dashboard < 2.8.8 – Missing Authorization to Information Disclosure (sd_php_info) | CVE 2023-5711 | Plugin Vulnerabilities

Description

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information provided by PHP info.

Affects Plugins

system-dashboard

Fixed in 2.8.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/17bc3a9f-2bf9-44e3-81ef-bfa932085da9

URL

https://research.cleantalk.org/cve-2023-5711

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

1b25484c-b44f-4d86-8b2e-84953457a8df

Timeline

Publicly Published

2023-12-06 (about 2 years ago)

Added

2023-12-08 (about 2 years ago)

Last Updated

2024-02-20 (about 2 years ago)

Other

Published

Title

Published

2025-03-03

Title

Animation Addons for Elementor Pro < 1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

Published

2025-04-16

Title

Editor Wysiwyg Background Color <= 1.0 - Missing Authorization

Published

2025-10-08

Title

Salient Core < 3.0.9 - Missing Authorization

Published

2025-11-07

Title

Traveler <= 3.2.6 - Missing Authorization

Published

2025-01-14

Title

VOD Infomaniak < 1.5.10 - Missing Authorization