How to fix CVE-2025-68496?

Within 24 hours: Audit all WordPress installations for User Feedback plugin presence using `wp plugin list` or admin console; immediately deactivate and remove the plugin if found. Within 7 days: Identify and implement alternative feedback mechanisms that are patched and maintained; verify no malicious database modifications occurred using WordPress audit logs and database backups. Within 30 days: Establish a plugin update management policy requiring prompt evaluation of security advisories; consider using WordPress security plugins with automated vulnerability scanning (e.g., Wordfence, Sucuri) to detect similar exposures in other plugins.

Is PHP affected by CVE-2025-68496?

CVE-2025-68496 is a critical unauthenticated SQL injection vulnerability in the User Feedback WordPress plugin (versions ≤1.10.0) that allows attackers to extract sensitive database contents, modify data, or execute administrative commands without authentication.

CVE-2025-68496

CRITICAL

2025-12-24 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 24, 2025 - 13:16 nvd

CRITICAL 9.8

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.0.

Analysis

Blind SQL injection in User Feedback WordPress plugin (versions ≤1.10.0) allows unauthenticated remote attackers to extract database contents, modify data, or execute administrative commands. The vulnerability carries a critical CVSS score of 9.8 due to network-based exploitation requiring no privileges or user interaction. While EPSS probability is low (0.05%, 14th percentile) and no active exploitation is confirmed at time of analysis, the severity and unauthenticated attack vector make this a priority for WordPress administrators using this plugin. Patchstack security audit identified this flaw as CWE-89 SQL injection stemming from improper input sanitization.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +49

POC: 0

CVE-2025-68496 vulnerability details – vuln.today

Back

CVE-2025-68496

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Priority Score

Share

CVE-2025-68496

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Priority Score

Share

External POC / Exploit Code