Skip to main content

User Feedback EUVDEUVD-2026-20142

| CVE-2026-39476 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-56rj-pppv-pvv7
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:39 vuln.today
CVSS changed
Apr 13, 2026 - 17:22 NVD
4.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20142
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.

AnalysisAI

Missing authorization in Syed Balkhi User Feedback plugin versions up to 1.10.1 allows authenticated users to access sensitive feedback data and functionalities they should not have permission to view or modify, due to incorrectly configured access control security levels. With CVSS 4.3 and EPSS 0.02%, this represents a low-probability real-world exploitation risk, though it affects WordPress installations using this plugin.

Technical ContextAI

The User Feedback plugin for WordPress implements access control mechanisms to restrict user capabilities based on roles and permissions. CWE-862 (Missing Authorization) indicates the plugin fails to properly verify user permissions before granting access to protected resources or operations. The vulnerability manifests in access control security levels that are not properly enforced, allowing authenticated WordPress users with lower privilege levels to interact with feedback management functions intended for administrators or higher-privileged roles. This is a broken access control vulnerability typical in WordPress plugins where capability checks are incomplete or missing in AJAX handlers, REST API endpoints, or admin pages.

RemediationAI

Update the User Feedback plugin to a version later than 1.10.1 to obtain the access control fix. Site administrators should navigate to WordPress Plugins → Updates and upgrade User Feedback to the latest available version, which should include authorization bypass remediation. If an immediate patch version is not yet released, temporarily restrict User Feedback plugin access to administrator roles only via WordPress user capability management or disable the plugin until a patched version is available. Refer to the Patchstack security advisory at https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-broken-access-control-vulnerability for patch availability confirmation and detailed upgrade instructions.

Share

EUVD-2026-20142 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy