WP-Safety

System Dashboard Security & Risk Analysis

wordpress.org/plugins/system-dashboard

Central dashboard to monitor various WordPress components, processes and data, including the server.

1K active installs v2.8.21 PHP 5.6+ WP 4.8+ Updated Sep 19, 2025
action-filter-hooksdeveloperserver-infosystem-monitorwordpress-components
94
A · Safe
CVEs total11
Unpatched0
Last CVESep 25, 2025
Plugin page Download
Safety Verdict

Is System Dashboard Safe to Use in 2026?

Generally Safe

Score 94/100

System Dashboard has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Sep 25, 2025Updated 6mo ago
Risk Assessment

The 'system-dashboard' plugin, version 2.8.21, presents a significant security risk primarily due to its extensive attack surface lacking proper authorization checks. With 32 AJAX handlers, all identified as unprotected, an attacker could potentially trigger unauthorized actions. While the code signals indicate a good general practice of using prepared statements for SQL queries and a decent rate of output escaping, the presence of dangerous functions like 'exec', 'shell_exec', and 'unserialize' alongside unsanitized paths in taint analysis is concerning. The high number of known CVEs (11), although none are currently unpatched, with a history of critical types like Missing Authorization and Path Traversal, suggests a recurring pattern of security weaknesses. The plugin's past vulnerabilities, particularly those involving authorization and path manipulation, combined with the current lack of authentication on a large portion of its entry points, creates a favorable environment for attackers. Despite strengths in SQL and output handling, the fundamental flaws in authorization and the historical vulnerability profile demand immediate attention.

Key Concerns

  • 32 unprotected AJAX handlers
  • Dangerous functions found (exec, shell_exec, unserialize)
  • Flows with unsanitized paths (1 critical, 1 high)
  • 11 known CVEs with historical authorization/path issues
  • Missing nonce checks on 32 AJAX handlers
  • Low rate of output escaping (79%)
  • Bundled DataTables library (potential for outdated versions)
Vulnerabilities
11

System Dashboard Security Vulnerabilities

CVEs by Year

5 CVEs in 2023
2023
3 CVEs in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
10

11 total CVEs

CVE-2025-10377medium · 4.3Cross-Site Request Forgery (CSRF)

System Dashboard <= 2.8.20 - Cross-Site Request Forgery

Sep 25, 2025 Patched in 2.8.21 (1d)
CVE-2025-26911medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

System Dashboard <= 2.8.18 - Authenticated (Subscriber+) Sensitive Information Exposure

Feb 23, 2025 Patched in 2.8.19 (9d)
CVE-2024-12299medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

System Dashboard <= 2.8.17 - Reflected Cross-Site Scripting via Filename Parameter

Jan 30, 2025 Patched in 2.8.18 (13d)
CVE-2024-11107high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

System Dashboard <= 2.8.14 - Unauthenticated Stored Cross-Site Scripting

Nov 19, 2024 Patched in 2.8.15 (24d)
CVE-2024-10708medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

System Dashboard <= 2.8.14 - Authenticated (Admin+) Arbitrary File Read

Nov 19, 2024 Patched in 2.8.15 (24d)
CVE-2023-7246medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

System Dashboard <= 2.8.9 - Reflected Cross-Site Scripting via X-Forwarded-For

Feb 28, 2024 Patched in 2.8.10 (171d)
CVE-2023-5711medium · 4.3Missing Authorization

System Dashboard <= 2.8.8 - Missing Authorization to Information Disclosure (sd_php_info)

Dec 6, 2023 Patched in 2.8.8 (76d)
CVE-2023-5714medium · 4.3Missing Authorization

System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_db_specs)

Dec 6, 2023 Patched in 2.8.8 (48d)
CVE-2023-5712medium · 4.3Missing Authorization

System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_global_value)

Dec 6, 2023 Patched in 2.8.8 (48d)
CVE-2023-5713medium · 4.3Missing Authorization

System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_option_value)

Dec 6, 2023 Patched in 2.8.8 (57d)
CVE-2023-5710medium · 4.3Missing Authorization

System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_constants)

Dec 6, 2023 Patched in 2.8.8 (48d)
Code Analysis
Analyzed Mar 16, 2026

System Dashboard Code Analysis

Dangerous Functions
18
Raw SQL Queries
2
22 prepared
Unescaped Output
42
157 escaped
Nonce Checks
32
Capability Checks
33
File Operations
24
External Requests
9
Bundled Libraries
1

Dangerous Functions Found

exec$gs = exec( 'gs --version' );admin\class-system-dashboard-admin.php:934
shell_exec$returnVal = shell_exec('pwd');admin\class-system-dashboard-admin.php:1301
exec$returnVal = exec('pwd');admin\class-system-dashboard-admin.php:1329
shell_exec$raw_uptime = shell_exec("cut -d. -f1 /proc/uptime");admin\class-system-dashboard-admin.php:1404
shell_exec$uptime = trim(shell_exec("cut -d. -f1 /proc/uptime"));admin\class-system-dashboard-admin.php:1407
shell_exec$os = shell_exec( 'lsb_release -a' );admin\class-system-dashboard-admin.php:1439
unserialize$location_data = unserialize( file_get_contents('http://www.geoplugin.net/php.gp?ip=' . $server_ip )admin\class-system-dashboard-admin.php:1490
shell_exec$sd_cpu_type = shell_exec( 'grep "model name" /proc/cpuinfo | uniq' );admin\class-system-dashboard-admin.php:1531
shell_exec$cpu_count = shell_exec('cat /proc/cpuinfo |grep "physical id" | sort | uniq | wc -l');admin\class-system-dashboard-admin.php:1569
shell_exec$cpu_core_count = shell_exec("echo \"$((`cat /proc/cpuinfo | grep cores | grep -o -E '[0-9]+' | uniqadmin\class-system-dashboard-admin.php:1598
shell_exec$cpu_load_average = shell_exec("uptime");admin\class-system-dashboard-admin.php:1650
shell_exec$total_ram = shell_exec("grep -w 'MemTotal' /proc/meminfo | grep -o -E '[0-9]+'");admin\class-system-dashboard-admin.php:1740
shell_exec$ram_cache = shell_exec("grep -w 'Cached' /proc/meminfo | grep -o -E '[0-9]+'");admin\class-system-dashboard-admin.php:1774
shell_exec$ram_buffer = shell_exec("grep -w 'Buffers' /proc/meminfo | grep -o -E '[0-9]+'");admin\class-system-dashboard-admin.php:1804
shell_exec$free_ram = shell_exec("grep -w 'MemFree' /proc/meminfo | grep -o -E '[0-9]+'");admin\class-system-dashboard-admin.php:1834
execexec('du -h --max-depth=1 ' . $path, $result);admin\class-system-dashboard-admin.php:2147
shell_exec$shell_output = shell_exec( $shell_command );admin\class-system-dashboard-admin.php:7859
shell_exec$shell_output = shell_exec( $shell_command );admin\class-system-dashboard-admin.php:7990

Bundled Libraries

DataTables

SQL Query Safety

92% prepared24 total queries

Output Escaping

79% escaped199 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

11 flows4 with unsanitized paths
<class-system-dashboard-admin> (admin\class-system-dashboard-admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
32 unprotected

System Dashboard Attack Surface

Entry Points32
Unprotected32

AJAX Handlers 32

authwp_ajax_sd_db_tablesincludes\class-system-dashboard.php:219
authwp_ajax_sd_db_specsincludes\class-system-dashboard.php:220
authwp_ajax_sd_db_detailsincludes\class-system-dashboard.php:221
authwp_ajax_sd_post_typesincludes\class-system-dashboard.php:222
authwp_ajax_sd_taxonomiesincludes\class-system-dashboard.php:223
authwp_ajax_sd_old_slugsincludes\class-system-dashboard.php:224
authwp_ajax_sd_media_countincludes\class-system-dashboard.php:225
authwp_ajax_sd_image_sizesincludes\class-system-dashboard.php:226
authwp_ajax_sd_mime_typesincludes\class-system-dashboard.php:227
authwp_ajax_sd_media_handlingincludes\class-system-dashboard.php:228
authwp_ajax_sd_directory_sizesincludes\class-system-dashboard.php:229
authwp_ajax_sd_filesystem_permissionsincludes\class-system-dashboard.php:230
authwp_ajax_sd_custom_fieldsincludes\class-system-dashboard.php:231
authwp_ajax_sd_user_countincludes\class-system-dashboard.php:232
authwp_ajax_sd_roles_capabilitiesincludes\class-system-dashboard.php:233
authwp_ajax_sd_rewrite_rulesincludes\class-system-dashboard.php:234
authwp_ajax_sd_shortcodesincludes\class-system-dashboard.php:235
authwp_ajax_sd_option_valueincludes\class-system-dashboard.php:236
authwp_ajax_sd_cache_valueincludes\class-system-dashboard.php:237
authwp_ajax_sd_global_valueincludes\class-system-dashboard.php:238
authwp_ajax_sd_wpcore_hooksincludes\class-system-dashboard.php:239
authwp_ajax_sd_hooksincludes\class-system-dashboard.php:240
authwp_ajax_sd_classesincludes\class-system-dashboard.php:241
authwp_ajax_sd_functionsincludes\class-system-dashboard.php:242
authwp_ajax_sd_constantsincludes\class-system-dashboard.php:243
authwp_ajax_sd_viewerincludes\class-system-dashboard.php:244
authwp_ajax_sd_viewer_urlincludes\class-system-dashboard.php:245
authwp_ajax_sd_php_infoincludes\class-system-dashboard.php:246
authwp_ajax_sd_toggle_logsincludes\class-system-dashboard.php:248
authwp_ajax_sd_page_access_logincludes\class-system-dashboard.php:249
authwp_ajax_sd_errors_logincludes\class-system-dashboard.php:250
authwp_ajax_sd_email_delivery_logincludes\class-system-dashboard.php:251
WordPress Hooks 11
actionplugins_loadedincludes\class-system-dashboard.php:151
actionadmin_menuincludes\class-system-dashboard.php:188
actionadmin_enqueue_scriptsincludes\class-system-dashboard.php:192
actionadmin_enqueue_scriptsincludes\class-system-dashboard.php:193
actioncsf_loadedincludes\class-system-dashboard.php:201
actionupdate_footerincludes\class-system-dashboard.php:204
actionadmin_menuincludes\class-system-dashboard.php:208
actionadmin_noticesincludes\class-system-dashboard.php:215
actionadmin_footerincludes\class-system-dashboard.php:218
actioninitincludes\class-system-dashboard.php:259
filterwp_mailincludes\class-system-dashboard.php:266
Maintenance & Trust

System Dashboard Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 19, 2025
PHP min version5.6
Downloads21K

Community Trust

Rating98/100
Number of ratings16
Active installs1K
Alternatives

System Dashboard Alternatives

Version Info – Server Health Monitor, PHP & MySQL Version Display, Environment Indicators

Version Info – Server Health Monitor, PHP & MySQL Version Display, Environment Indicators

version-info

A
100

The #1 technical dashboard for WordPress professionals. Display PHP, MySQL, WP & server versions anywhere in admin. Monitor CPU, RAM, DB size &amp &hellip;

10K No CVEs
ServerMonitor

ServerMonitor

servermonitor

A
85

A simple plugin to view server resource usage (ram, cpu, disk), check your PHP error log, and more.

100 No CVEs
Temporary Login Without Password

Temporary Login Without Password

temporary-login-without-password

A
100

Create self-expiring, temporary admin accounts. Easily share direct login links (no need for username/password) with your developers or editors.

100K 1 CVE
Elementor Beta (Developer Edition)

Elementor Beta (Developer Edition)

elementor-beta

A
92

Elementor Beta (Developer Edition) gives you direct access into Elementor's development process, and lets you take an active part in perfecting o &hellip;

40K No CVEs
Server IP & Memory Usage Display

Server IP & Memory Usage Display

server-ip-memory-usage

A
100

Show the memory limit, current memory usage and IP address in the admin footer.

30K No CVEs
Developer Profile

System Dashboard Developer Profile

Bowo

7 plugins · 211K total installs

80
trust score
Avg Security Score
89/100
Avg Patch Time
35 days
View full developer profile
Detection Fingerprints

How We Detect System Dashboard

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/system-dashboard/css/system-dashboard-admin.css/wp-content/plugins/system-dashboard/css/jquery.json-viewer.css/wp-content/plugins/system-dashboard/css/datatables.min.css/wp-content/plugins/system-dashboard/css/fomantic-ui/accordion.css/wp-content/plugins/system-dashboard/js/system-dashboard-admin.js/wp-content/plugins/system-dashboard/js/jquery.json-viewer.js/wp-content/plugins/system-dashboard/js/datatables.min.js/wp-content/plugins/system-dashboard/js/fomantic-ui/accordion.js
Script Paths
/wp-content/plugins/system-dashboard/js/system-dashboard-admin.js/wp-content/plugins/system-dashboard/js/jquery.json-viewer.js/wp-content/plugins/system-dashboard/js/datatables.min.js/wp-content/plugins/system-dashboard/js/fomantic-ui/accordion.js
Version Parameters
system-dashboard?ver=system-dashboard-json-viewer?ver=system-dashboard-datatables?ver=system-dashboard-fomantic-ui-accordion?ver=system-dashboard-admin.js?ver=jquery.json-viewer.js?ver=datatables.min.js?ver=accordion.js?ver=

HTML / DOM Fingerprints

CSS Classes
mc-collapsiblesearch-filterfield-partsfirst-partfull-widthsearch-filter-additional-info
Data Attributes
data-controls
JS Globals
System_DashboardjQuery
FAQ

Frequently Asked Questions about System Dashboard