WordPress Plugin Vulnerabilities

User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds < 1.9.0 - Missing Authorization to Information Disclosure

Description

The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address.

Affects Plugins

Plugin icon
userfeedback-lite
Fixed in 1.9.0

References

CVE
CVE-2025-10694
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9026b417-4b35-4bec-9dc6-6797661dc7a8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nguyen Ngoc Quang Bach (maysbachs)
Verified
No
WPVDB ID
935e272c-1d5c-4812-8486-6ad03981ebee

Timeline

Publicly Published
2025-10-24 (about 6 months ago)
Added
2025-10-24 (about 6 months ago)
Last Updated
2025-10-25 (about 6 months ago)

Other

Published
Title
Published
2026-01-07
Title
Re Gallery < 1.18.10 - Missing Authorization
Published
2023-07-26
Title
InstaWP Connect < 0.0.9.19 - Unauthenticated Data Modification
Published
2026-01-22
Title
Cloudinary <= 3.3.0 - Missing Authorization
Published
2025-01-30
Title
Live2DWebCanvas < 1.9.12 - Subscriber+ Arbitrary File Deletion
Published
2026-01-12
Title
Orchid Store <= 1.5.15 - Missing Authorization