Description
The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status.
Published: 2025-12-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exposure via missing authorization checks
Action: Apply patch
AI Analysis

Impact

The Userback WordPress plugin version 1.0.15 and earlier contains a missing capability check in the userback_get_json function. This flaw allows authenticated users who possess at least Subscriber privileges to retrieve the plugin’s configuration data, including the Userback API access token, and the content of the site’s posts and pages, even if those items are marked as private or draft. The weakness aligns with CWE-862 (Missing Authorization).

Affected Systems

All WordPress sites running the Userback plugin version 1.0.15 or earlier are affected. The plugin can be found under the vendor name userback:Userback.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate overall impact. The EPSS score of less than 1% suggests the likelihood of exploitation at the time of analysis is very low, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is an authenticated user with Subscriber or higher privileges. The attacker can read configuration data and private content.

Generated by OpenCVE AI on April 27, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Userback plugin to the latest version (v1.0.16 or higher) to remove the missing authorization check.
  • If an immediate upgrade is not possible, restrict the configuration page to administrator roles only using WordPress role management tools.
  • Audit user role assignments to minimize the number of users with Subscriber or higher privileges, reducing the potential attack surface.

Generated by OpenCVE AI on April 27, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Userback
Userback userback
Wordpress
Wordpress wordpress
Vendors & Products Userback
Userback userback
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status.
Title Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Userback Userback
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:10.684Z

Reserved: 2025-12-11T12:12:04.086Z

Link: CVE-2025-14540

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:41.288Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:51.260

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:45:15Z

Weaknesses