Skip to main content

User Feedback CVE-2026-39475

| EUVDEUVD-2026-20141 HIGH
SQL Injection (CWE-89)
2026-04-08 Patchstack GHSA-p48j-375p-c37q
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

6
CVSS changed
Apr 29, 2026 - 10:22 NVD
8.5 (HIGH) 7.6 (HIGH)
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 15:22 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
8.5 (HIGH)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20141
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1.

AnalysisAI

Blind SQL injection in User Feedback WordPress plugin (versions ≤1.10.1) allows authenticated attackers with low privileges to extract database contents through malicious SQL queries. The vulnerability enables cross-scope exploitation with high confidentiality impact and limited availability disruption. EPSS probability is low (0.02%, 6th percentile), no public exploit identified at time of analysis, and exploitation requires authenticated access with low attack complexity.

Technical ContextAI

This vulnerability stems from improper neutralization of SQL special characters (CWE-89) in the User Feedback WordPress plugin developed by Syed Balkhi. The affected component (cpe:2.3:a:syed_balkhi:user_feedback) fails to sanitize user-supplied input before incorporating it into SQL queries, creating a blind SQL injection vector. Blind SQLi differs from traditional SQL injection in that attackers cannot directly view query results but must infer data through boolean-based or time-based techniques. The CVSS vector indicates the flaw is network-accessible (AV:N) with low attack complexity (AC:L), requires low-level privileges (PR:L), and enables scope change (S:C), suggesting the attacker can access resources beyond the vulnerable component's security context. WordPress plugin vulnerabilities of this class typically occur in AJAX handlers, REST API endpoints, or administrative interfaces where database queries are constructed using inadequately validated user input such as POST parameters, cookies, or custom headers.

RemediationAI

Upgrade User Feedback plugin to the latest patched version immediately; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability-2?_s_id=cve for specific version recommendations as vendor-released patch details are not independently confirmed in available data at time of analysis. As an interim mitigation, restrict plugin access to trusted administrator accounts only by reviewing WordPress user roles and removing unnecessary subscriber/contributor privileges, implement Web Application Firewall rules to detect and block SQL injection patterns in HTTP requests, enable WordPress database query logging to detect exploitation attempts, apply principle of least privilege to WordPress database user accounts to limit potential data exposure, and consider temporarily disabling the User Feedback plugin if it is not business-critical until patching is completed. Review database logs for suspicious query patterns (UNION statements, boolean-based conditional queries, time delays via SLEEP/BENCHMARK functions) that may indicate prior exploitation attempts.

Share

CVE-2026-39475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy