CVE-2026-3140
Cross-Site Request Forgery in Ultimate Dashboard WordPress Plugin
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ultimate_dashboard | ultimate_dashboard | to 3.8.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the Ultimate Dashboard plugin up to and including 3.8.14. To mitigate this vulnerability, you should update the Ultimate Dashboard plugin to a version later than 3.8.14 where the nonce validation issue is fixed.
Additionally, as a precaution, avoid clicking on suspicious links or performing actions initiated by untrusted sources that could trigger the plugin's module toggling functionality.
Can you explain this vulnerability to me?
The Ultimate Dashboard plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 3.8.14. This occurs because of a flawed nonce validation check in the 'handle_module_actions' function. As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking a malicious link, which allows the attacker to toggle plugin modules on or off without the administrator's intent.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to change the state of plugin modules on your WordPress site without your consent. Since the attacker can toggle modules on or off by tricking an administrator into clicking a link, it may lead to unauthorized changes in the site's functionality or security posture. Although it does not directly compromise data confidentiality or availability, it can degrade the integrity of your siteβs configuration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to toggle plugin modules on or off by tricking a site administrator into performing an action. This Cross-Site Request Forgery (CSRF) flaw could potentially lead to unauthorized changes in the website's functionality.
While the CVE description does not explicitly mention impacts on compliance with standards such as GDPR or HIPAA, unauthorized changes to website modules could indirectly affect data integrity or security controls required by these regulations.
However, there is no direct information provided about how this vulnerability specifically impacts compliance with common standards and regulations.