Description
Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Missing Authorization
Action: Patch Now
AI Analysis

Impact

The flaw is an access‑control weakness that lets an attacker bypass the plugin’s intended restrictions. By exploiting the missing authorization check, an attacker can view or modify the plugin’s data without the required privileges. This is a classic example of the CWE‑862 vulnerability type.

Affected Systems

Installations of the User Feedback plugin from Syed Balkhi that are version 1.10.1 or earlier are vulnerable. Any user running one of these releases may be affected until the plugin is updated to a fixed version.

Risk and Exploitability

The vulnerability carries a severity score of 4.3, indicating a moderate risk. Current indicators show that the likelihood of exploitation is low, with reported exploit attempts below 1 percent. It is not included in the CISA Known Exploited Vulnerabilities catalog, suggesting no widespread exploitation has been observed to date. The likely attack path involves the plugin’s administrative interfaces or exposed endpoints, where a request that does not meet the required authorization can be sent. The impact is limited to the data and functions of the plugin, but could provide a foothold for further privilege escalation if sensitive information is accessed or if the attacker can manipulate settings that affect the wider WordPress installation.

Generated by OpenCVE AI on April 13, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the User Feedback plugin to the latest available version that includes the fix for the missing authorization issue.
  • If an update is not immediately available, restrict access to the plugin’s administrative URLs by configuring capability requirements or network‑level controls to prevent unauthorized users from invoking the plugin functionality.
  • Verify that all user roles have appropriate permission sets and that no customizations have removed required capability checks for the plugin.

Generated by OpenCVE AI on April 13, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Syed Balkhi
Syed Balkhi user Feedback
Wordpress
Wordpress wordpress
Vendors & Products Syed Balkhi
Syed Balkhi user Feedback
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.
Title WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Syed Balkhi User Feedback
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:01.915Z

Reserved: 2026-04-07T10:42:07.235Z

Link: CVE-2026-39476

cve-icon Vulnrichment

Updated: 2026-04-13T16:32:12.368Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:22.393

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:07Z

Weaknesses