Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure
Description
The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
This research plan focuses on exploiting **CVE-2025-14540**, a Missing Authorization vulnerability in the **Userback** plugin for WordPress. Since the source code is not provided, this plan is based on the vulnerability description and common WordPress plugin patterns. All identifiers should be tr…
Show full research plan
This research plan focuses on exploiting CVE-2025-14540, a Missing Authorization vulnerability in the Userback plugin for WordPress.
Since the source code is not provided, this plan is based on the vulnerability description and common WordPress plugin patterns. All identifiers should be treated as (inferred) and verified during the initial discovery phase.
1. Vulnerability Summary
The Userback plugin (up to version 1.0.15) contains a function named userback_get_json. This function is intended to provide configuration data (like API tokens) and site content (post lists) to the Userback feedback widget. However, the function fails to implement any capability checks (e.g., current_user_can()). Consequently, any authenticated user, including those with Subscriber privileges, can call this function to leak sensitive information, including the plugin's API access token and the content of private or draft posts.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Action:
userback_get_json(inferred from function name) - Authentication: Required (Subscriber or higher).
- Parameter:
action=userback_get_json - Vulnerability Type: Insecure Direct Object Reference (IDOR) / Missing Authorization.
- Impact: Information Disclosure (API keys, private/draft post titles and content).
3. Code Flow (Inferred)
- Registration: The plugin likely registers the AJAX handler in its main file or an
includes/class-userback.phpfile using:add_action('wp_ajax_userback_get_json', 'userback_get_json'); - Execution: When a logged-in user sends a request to
admin-ajax.phpwithaction=userback_get_json:- WordPress identifies the
wp_ajax_hook. - The
userback_get_json()function is executed.
- WordPress identifies the
- Sink: Inside
userback_get_json(), the code likely:- Fetches plugin settings using
get_option('userback_settings')or similar. - Queries posts using
get_posts()orWP_Query, potentially without restricting thepost_statusto 'publish'. - Returns this data as a JSON response using
wp_send_json()orecho json_encode(). - Critical Failure: No check for
current_user_can('manage_options')or similar is performed before returning data.
- Fetches plugin settings using
4. Nonce Acquisition Strategy
While the vulnerability is "Missing Authorization," the handler might still be protected by a WordPress nonce for CSRF protection.
- Identify Nonce Action: Use
grep -r "userback_get_json" .to find where the action is registered and ifcheck_ajax_refereris used. If it is, identify the nonce action string (e.g.,userback_nonce). - Locate Localization: Search for
wp_localize_scriptto find how the nonce is passed to the frontend.- Command:
grep -r "wp_localize_script" .
- Command:
- Extraction Procedure:
- Identify a shortcode or page where the Userback widget loads (likely all pages if active).
- Create a test page:
wp post create --post_title="Nonce Page" --post_status=publish --post_content='Userback test' - Navigate to the page as the Subscriber user.
- Use
browser_evalto extract the nonce:// Example: if localized to 'userback_settings' window.userback_settings?.nonce // or window.ub_vars?.nonce
5. Exploitation Strategy
Step 1: Information Gathering
Find the exact AJAX action and nonce requirement.
grep -rn "userback_get_json" /var/www/html/wp-content/plugins/userback/
Step 2: Setup Test Data
Create a private post and set a fake API token to confirm the leak.
# Set a dummy API token
wp option update userback_js_api_token "SECRET_API_TOKEN_12345"
# Create a private post
wp post create --post_title="Confidential Project" --post_content="This is a draft/private content." --post_status=private
Step 3: Authenticated Request
The agent will log in as a Subscriber and perform the request.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=userback_get_json&security=[NONCE_IF_REQUIRED]
6. Test Data Setup
- User: Create a subscriber:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123. - Content:
- One "Private" post.
- One "Draft" post.
- Settings: Ensure the Userback plugin is configured with an API key in the WordPress admin settings.
7. Expected Results
A successful exploit will return a JSON object containing:
- The
userback_js_api_token(or similarly named key). - An array of posts that includes the "Confidential Project" (private) and any draft posts.
- The
post_contentorpost_excerptof these non-public posts.
8. Verification Steps
After the http_request tool receives the response, verify the contents:
- Check for API Token: Does the JSON contain the string
SECRET_API_TOKEN_12345? - Check for Private Content: Does the JSON contain the string
Confidential Project? - Confirm Status: Verify the exposed post is indeed private via CLI:
wp post list --post_type=post --post_status=private --fields=post_title
9. Alternative Approaches
If action=userback_get_json does not work:
- Search for any use of
register_rest_routein the plugin code. The vulnerability might exist in a REST API endpoint that also lacks apermission_callback. - Check for
admin_inithooks. Sometimes developers useadmin_initto handle AJAX-like requests via$_GETparameters, andadmin_initruns for all users (including Subscribers) when they accessadmin-ajax.php. - If a nonce is required but not found in the frontend, check if the plugin exposes it in the admin dashboard for Subscribers via
wp_headoradmin_head.
Summary
The Userback plugin for WordPress (up to and including version 1.0.15) fails to implement authorization checks on the userback_get_json function. This allows authenticated users with Subscriber-level privileges to access sensitive plugin configuration data and the content of private or draft posts via an AJAX request.
Exploit Outline
To exploit this vulnerability, an attacker must first authenticate as a Subscriber. They need to retrieve a valid AJAX nonce, which is typically found in localized JavaScript variables (e.g., userback_settings) on the site's frontend. The attacker then submits a POST request to /wp-admin/admin-ajax.php with the action parameter set to 'userback_get_json' and the extracted nonce. The resulting JSON response contains the Userback API access token and the content of all posts, regardless of their visibility status (private or draft).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.