CVE-2026-3140
Received Received - Intake
Cross-Site Request Forgery in Ultimate Dashboard WordPress Plugin

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: Wordfence

Description
The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers to toggle plugin modules on or off via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3140
EUVD
EUVD-2026-26496
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ultimate_dashboard ultimate_dashboard to 3.8.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Ultimate Dashboard plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 3.8.14. This occurs because of a flawed nonce validation check in the 'handle_module_actions' function. As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking a malicious link, which allows the attacker to toggle plugin modules on or off without the administrator's intent.

Impact Analysis

This vulnerability can impact you by allowing an attacker to change the state of plugin modules on your WordPress site without your consent. Since the attacker can toggle modules on or off by tricking an administrator into clicking a link, it may lead to unauthorized changes in the site's functionality or security posture. Although it does not directly compromise data confidentiality or availability, it can degrade the integrity of your site’s configuration.

Mitigation Strategies

The vulnerability affects all versions of the Ultimate Dashboard plugin up to and including 3.8.14. To mitigate this vulnerability, you should update the Ultimate Dashboard plugin to a version later than 3.8.14 where the nonce validation issue is fixed.

Additionally, as a precaution, avoid clicking on suspicious links or performing actions initiated by untrusted sources that could trigger the plugin's module toggling functionality.

Compliance Impact

The vulnerability allows unauthenticated attackers to toggle plugin modules on or off by tricking a site administrator into performing an action. This Cross-Site Request Forgery (CSRF) flaw could potentially lead to unauthorized changes in the website's functionality.

While the CVE description does not explicitly mention impacts on compliance with standards such as GDPR or HIPAA, unauthorized changes to website modules could indirectly affect data integrity or security controls required by these regulations.

However, there is no direct information provided about how this vulnerability specifically impacts compliance with common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart