Which Ultimate Dashboard – Custom WordPress Dashboard CVEs are tracked?

Ultimate Dashboard – Custom WordPress Dashboard tracked CVEs include CVE-2023-49822, CVE-2025-1524, CVE-2025-1525, CVE-2025-1523, and CVE-2023-50828.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 9 known issues Latest disclosed Apr 30, 2026

Ultimate Dashboard – Custom WordPress Dashboard Vulnerabilities

Q: How many Ultimate Dashboard – Custom WordPress Dashboard vulnerabilities have patch guidance?

9 of 9 tracked Ultimate Dashboard – Custom WordPress Dashboard records include a published patch path.

Review known vulnerability records for the WordPress plugin Ultimate Dashboard – Custom WordPress Dashboard (`ultimate-dashboard`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-3140, CVE-2025-1524 and CVE-2025-1525, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 30, 2026

Priority CVE Quick Links

Fast paths into Ultimate Dashboard – Custom WordPress Dashboard CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2023-49822 Medium 3.7.11

CVE-2023-49822 Ultimate Dashboard – Custom WordPress Dashboard Vulnerability

Ultimate Dashboard <= 3.7.10 - Login Page Disclosure on Multi-site

CVE-2025-1524 Medium 3.8.6

CVE-2025-1524 Ultimate Dashboard – Custom WordPress Dashboard Stored Cross-Site Scripting

Ultimate Dashboard <= 3.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

CVE-2025-1525 Medium 3.8.6

CVE-2025-1525 Ultimate Dashboard – Custom WordPress Dashboard Stored Cross-Site Scripting

Ultimate Dashboard <= 3.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

CVE-2025-1523 Medium 3.8.6

CVE-2025-1523 Ultimate Dashboard – Custom WordPress Dashboard Stored Cross-Site Scripting

Ultimate Dashboard <= 3.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

CVE-2023-50828 Medium 3.7.12

CVE-2023-50828 Ultimate Dashboard – Custom WordPress Dashboard Stored Cross-Site Scripting

Ultimate Dashboard <= 3.7.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

CVE-2023-4726 Medium 3.7.8

CVE-2023-4726 Ultimate Dashboard – Custom WordPress Dashboard Stored Cross-Site Scripting

Ultimate Dashboard <= 3.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

CVE-2023-2812 Medium 3.7.6

CVE-2023-2812 Ultimate Dashboard – Custom WordPress Dashboard Stored Cross-Site Scripting

Ultimate Dashboard <= 3.7.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

CVE-2026-3140 Medium 3.8.15

CVE-2026-3140 Ultimate Dashboard – Custom WordPress Dashboard Cross-Site Request Forgery

Ultimate Dashboard <= 3.8.14 - Cross-Site Request Forgery to Module Activation/Deactivation

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Ultimate Dashboard – Custom WordPress Dashboard so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

9 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 0 high severity findings.

Recent CVEs

CVE-2026-3140, CVE-2025-1524 and CVE-2025-1525

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-3140 Medium Patch path listed

CVE-2026-3140: Ultimate Dashboard <= 3.8.14 - Cross-Site Request Forgery to Module Activation/Deactivation

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in...

Published

Apr 30, 2026

Patch Status

3.8.15

Open CVE-2026-3140 Report

CVE-2025-1524 Medium Patch path listed

CVE-2025-1524: Ultimate Dashboard <= 3.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 3.8.6 due to insufficient input sanitization and output escaping. This makes it pos...

Published

Mar 27, 2025

Patch Status

3.8.6

Open CVE-2025-1524 Report

CVE-2025-1525 Medium Patch path listed

CVE-2025-1525: Ultimate Dashboard <= 3.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 3.8.6 due to insufficient input sanitization and output escaping. This makes it pos...

Published

Mar 27, 2025

Patch Status

3.8.6

Open CVE-2025-1525 Report

Known Vulnerabilities

Reports for Ultimate Dashboard – Custom WordPress Dashboard

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-3140

CVE-2026-3140: Ultimate Dashboard <= 3.8.14 - Cross-Site Request Forgery to Module Activation/Deactivation

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers...

Published

Apr 30, 2026

Patched Release

3.8.15

Affected Versions

Versions up to 3.8.14

Next Step

Update to 3.8.15 or newer if supported.

Open CVE-2026-3140 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-1524

CVE-2025-1524: Ultimate Dashboard <= 3.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 3.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject ar...

Published

Mar 27, 2025

Patched Release

3.8.6

Affected Versions

Versions up to 3.8.5

Next Step

Update to 3.8.6 or newer if supported.

Open CVE-2025-1524 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-1525

CVE-2025-1525: Ultimate Dashboard <= 3.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

Mar 27, 2025

Patched Release

3.8.6

Affected Versions

Versions up to 3.8.5

Next Step

Update to 3.8.6 or newer if supported.

Open CVE-2025-1525 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-1523

CVE-2025-1523: Ultimate Dashboard <= 3.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

Mar 27, 2025

Patched Release

3.8.6

Affected Versions

Versions up to 3.8.5

Next Step

Update to 3.8.6 or newer if supported.

Open CVE-2025-1523 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-2276

CVE-2025-2276: Ultimate Dashboard <= 3.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation

The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticate...

Published

Mar 25, 2025

Patched Release

3.8.8

Affected Versions

Versions up to 3.8.7

Next Step

Update to 3.8.8 or newer if supported.

Open CVE-2025-2276 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-50828

CVE-2023-50828: Ultimate Dashboard <= 3.7.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

Published

Dec 19, 2023

Patched Release

3.7.12

Affected Versions

Versions up to 3.7.11

Next Step

Update to 3.7.12 or newer if supported.

Open CVE-2023-50828 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-49822

CVE-2023-49822: Ultimate Dashboard <= 3.7.10 - Login Page Disclosure on Multi-site

The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to secret login page disclosure in all versions up to, and including, 3.7.10. This makes it possible for unauthenticated attackers to discover the secret login page URL on multi-site instances

Published

Dec 05, 2023

Patched Release

3.7.11

Affected Versions

Versions up to 3.7.10

Next Step

Update to 3.7.11 or newer if supported.

Open CVE-2023-49822 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-4726

CVE-2023-4726: Ultimate Dashboard <= 3.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.7. due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-...

Published

Nov 13, 2023

Patched Release

3.7.8

Affected Versions

Versions up to 3.7.7

Next Step

Update to 3.7.8 or newer if supported.

Open CVE-2023-4726 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-2812

CVE-2023-2812: Ultimate Dashboard <= 3.7.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-l...

Published

May 21, 2023

Patched Release

3.7.6

Affected Versions

Versions before 3.7.6

Next Step

Update to 3.7.6 or newer if supported.

Open CVE-2023-2812 Report Open CVE Reference