cleantalk
Vulnerabilities and Security Researches

System Dashboard, CVE-2025-10377

CVE, Research URL

CVE-2025-10377

Home page URL

Security reports for System Dashboard

Application

System Dashboard

Published on
Sep 26, 2025
Research Description
The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.8.21.
Status
vulnerable
Previous vulnerability researches
Password Policy Manager | Password Manager (CVE-2025-11255) , Nov 10, 2025
Password Policy Manager | Password Manager (CVE-2025-31019) , Jun 14, 2025
New vulnerability
Finale Lite – Sales Countdown Timer & Discount for WooCommerce (CVE-2025-52736) , Nov 11, 2025
APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps (CVE-2025-53218) , Nov 11, 2025
Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin (CVE-2025-62019) , Nov 11, 2025
Premmerce Product Search for WooCommerce (CVE-2025-64289) , Nov 11, 2025
Premmerce Product Search for WooCommerce (CVE-2025-64290) , Nov 11, 2025