cleantalk
Vulnerabilities and Security Researches

Ultimate Dashboard – Custom WordPress Dashboard, CVE-2023-4726

CVE, Research URL

CVE-2023-4726

Home page URL

Security reports for Ultimate Dashboard – Custom WordPress Dashboard

Application

Ultimate Dashboard – Custom WordPress Dashboard

Published on
Nov 22, 2023
Research Description
The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.7. due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
Min -, max 3.7.8.
Status
vulnerable
Previous vulnerability researches
Ultimate Dashboard – Custom WordPress Dashboard (CVE-2025-1525) , Apr 25, 2025
Ultimate Dashboard – Custom WordPress Dashboard (CVE-2025-1524) , Apr 25, 2025
Ultimate Dashboard – Custom WordPress Dashboard (CVE-2025-1523) , Apr 25, 2025
Ultimate Dashboard – Custom WordPress Dashboard (CVE-2025-2276) , Mar 27, 2025
Ultimate Dashboard – Custom WordPress Dashboard (CVE-2023-2812) , Jun 07, 2024
New vulnerability
License For Envato (CVE-2025-39399) , Apr 25, 2025
occupancyplan (CVE-2025-46450) , Apr 25, 2025
Wp Custom CMS Block (CVE-2025-46457) , Apr 25, 2025
Google News (CVE-2025-46452) , Apr 25, 2025
LSD Custom taxonomy and category meta (CVE-2025-46502) , Apr 25, 2025