Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.0.
Published: 2025-12-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL Injection via the User Feedback plugin
Action: Immediate Patch
AI Analysis

Impact

The User Feedback plugin contains an SQL Injection vulnerability caused by improper neutralization of special characters in an SQL command. A malicious actor can send crafted input that results in blind SQL injection, allowing them to execute arbitrary SQL queries through the plugin’s interface. This can lead to unauthorized data disclosure, modification, or deletion within the WordPress database, potentially compromising site integrity and confidentiality.

Affected Systems

The vulnerability affects the WordPress User Feedback plugin from Syed Balkhi. All installations using version 1.10.0 or earlier are impacted.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity with potential for significant impact if exploited. EPSS suggests a low likelihood of current exploitation (<1%), and the flaw is not listed in the CISA KEV catalog. The attack vector is likely through web traffic to the plugin’s data entry points, where user-supplied input is used without proper sanitization. Although exploitation is presently rare, the effect could be serious if an attacker entices users or if automated attacks succeed.

Generated by OpenCVE AI on April 28, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to User Feedback plugin version 1.10.1 or later to eliminate the injection flaw.
  • If upgrading is not immediately possible, disable or uninstall the plugin to remove the vulnerable code path.
  • Apply database best‑practice measures such as ensuring the database user has the least privileges required and that other WordPress components use parameterized queries or prepared statements to mitigate similar risks.

Generated by OpenCVE AI on April 28, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.0.
Title WordPress User Feedback plugin <= 1.10.1 - SQL Injection vulnerability WordPress User Feedback plugin <= 1.10.0 - SQL Injection vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1.
Title WordPress User Feedback plugin <= 1.10.1 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:28.673Z

Reserved: 2025-12-19T10:16:41.921Z

Link: CVE-2025-68496

cve-icon Vulnrichment

Updated: 2025-12-24T19:13:01.893Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:20.043

Modified: 2026-04-27T19:16:25.510

Link: CVE-2025-68496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:30:37Z

Weaknesses