Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.
AnalysisAI
Missing authorization in Syed Balkhi User Feedback plugin versions up to 1.10.1 allows authenticated users to access sensitive feedback data and functionalities they should not have permission to view or modify, due to incorrectly configured access control security levels. With CVSS 4.3 and EPSS 0.02%, this represents a low-probability real-world exploitation risk, though it affects WordPress installations using this plugin.
Technical ContextAI
The User Feedback plugin for WordPress implements access control mechanisms to restrict user capabilities based on roles and permissions. CWE-862 (Missing Authorization) indicates the plugin fails to properly verify user permissions before granting access to protected resources or operations. The vulnerability manifests in access control security levels that are not properly enforced, allowing authenticated WordPress users with lower privilege levels to interact with feedback management functions intended for administrators or higher-privileged roles. This is a broken access control vulnerability typical in WordPress plugins where capability checks are incomplete or missing in AJAX handlers, REST API endpoints, or admin pages.
RemediationAI
Update the User Feedback plugin to a version later than 1.10.1 to obtain the access control fix. Site administrators should navigate to WordPress Plugins → Updates and upgrade User Feedback to the latest available version, which should include authorization bypass remediation. If an immediate patch version is not yet released, temporarily restrict User Feedback plugin access to administrator roles only via WordPress user capability management or disable the plugin until a patched version is available. Refer to the Patchstack security advisory at https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-broken-access-control-vulnerability for patch availability confirmation and detailed upgrade instructions.
More in User Feedback
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20142
GHSA-56rj-pppv-pvv7