CVE-2025-14540

Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.0.16
Patched in
194d
Time to patch

Description

The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.0.15
PublishedDecember 12, 2025
Last updatedJune 24, 2026
Affected pluginuserback
Research Plan
Unverified

This research plan focuses on exploiting **CVE-2025-14540**, a Missing Authorization vulnerability in the **Userback** plugin for WordPress. Since the source code is not provided, this plan is based on the vulnerability description and common WordPress plugin patterns. All identifiers should be tr…

Show full research plan

This research plan focuses on exploiting CVE-2025-14540, a Missing Authorization vulnerability in the Userback plugin for WordPress.

Since the source code is not provided, this plan is based on the vulnerability description and common WordPress plugin patterns. All identifiers should be treated as (inferred) and verified during the initial discovery phase.


1. Vulnerability Summary

The Userback plugin (up to version 1.0.15) contains a function named userback_get_json. This function is intended to provide configuration data (like API tokens) and site content (post lists) to the Userback feedback widget. However, the function fails to implement any capability checks (e.g., current_user_can()). Consequently, any authenticated user, including those with Subscriber privileges, can call this function to leak sensitive information, including the plugin's API access token and the content of private or draft posts.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: userback_get_json (inferred from function name)
  • Authentication: Required (Subscriber or higher).
  • Parameter: action=userback_get_json
  • Vulnerability Type: Insecure Direct Object Reference (IDOR) / Missing Authorization.
  • Impact: Information Disclosure (API keys, private/draft post titles and content).

3. Code Flow (Inferred)

  1. Registration: The plugin likely registers the AJAX handler in its main file or an includes/class-userback.php file using:
    add_action('wp_ajax_userback_get_json', 'userback_get_json');
  2. Execution: When a logged-in user sends a request to admin-ajax.php with action=userback_get_json:
    • WordPress identifies the wp_ajax_ hook.
    • The userback_get_json() function is executed.
  3. Sink: Inside userback_get_json(), the code likely:
    • Fetches plugin settings using get_option('userback_settings') or similar.
    • Queries posts using get_posts() or WP_Query, potentially without restricting the post_status to 'publish'.
    • Returns this data as a JSON response using wp_send_json() or echo json_encode().
    • Critical Failure: No check for current_user_can('manage_options') or similar is performed before returning data.

4. Nonce Acquisition Strategy

While the vulnerability is "Missing Authorization," the handler might still be protected by a WordPress nonce for CSRF protection.

  1. Identify Nonce Action: Use grep -r "userback_get_json" . to find where the action is registered and if check_ajax_referer is used. If it is, identify the nonce action string (e.g., userback_nonce).
  2. Locate Localization: Search for wp_localize_script to find how the nonce is passed to the frontend.
    • Command: grep -r "wp_localize_script" .
  3. Extraction Procedure:
    • Identify a shortcode or page where the Userback widget loads (likely all pages if active).
    • Create a test page: wp post create --post_title="Nonce Page" --post_status=publish --post_content='Userback test'
    • Navigate to the page as the Subscriber user.
    • Use browser_eval to extract the nonce:
      // Example: if localized to 'userback_settings'
      window.userback_settings?.nonce 
      // or
      window.ub_vars?.nonce
      

5. Exploitation Strategy

Step 1: Information Gathering
Find the exact AJAX action and nonce requirement.

grep -rn "userback_get_json" /var/www/html/wp-content/plugins/userback/

Step 2: Setup Test Data
Create a private post and set a fake API token to confirm the leak.

# Set a dummy API token
wp option update userback_js_api_token "SECRET_API_TOKEN_12345"

# Create a private post
wp post create --post_title="Confidential Project" --post_content="This is a draft/private content." --post_status=private

Step 3: Authenticated Request
The agent will log in as a Subscriber and perform the request.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=userback_get_json&security=[NONCE_IF_REQUIRED]

6. Test Data Setup

  1. User: Create a subscriber: wp user create attacker attacker@example.com --role=subscriber --user_pass=password123.
  2. Content:
    • One "Private" post.
    • One "Draft" post.
  3. Settings: Ensure the Userback plugin is configured with an API key in the WordPress admin settings.

7. Expected Results

A successful exploit will return a JSON object containing:

  1. The userback_js_api_token (or similarly named key).
  2. An array of posts that includes the "Confidential Project" (private) and any draft posts.
  3. The post_content or post_excerpt of these non-public posts.

8. Verification Steps

After the http_request tool receives the response, verify the contents:

  1. Check for API Token: Does the JSON contain the string SECRET_API_TOKEN_12345?
  2. Check for Private Content: Does the JSON contain the string Confidential Project?
  3. Confirm Status: Verify the exposed post is indeed private via CLI:
    wp post list --post_type=post --post_status=private --fields=post_title
    

9. Alternative Approaches

If action=userback_get_json does not work:

  • Search for any use of register_rest_route in the plugin code. The vulnerability might exist in a REST API endpoint that also lacks a permission_callback.
  • Check for admin_init hooks. Sometimes developers use admin_init to handle AJAX-like requests via $_GET parameters, and admin_init runs for all users (including Subscribers) when they access admin-ajax.php.
  • If a nonce is required but not found in the frontend, check if the plugin exposes it in the admin dashboard for Subscribers via wp_head or admin_head.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Userback plugin for WordPress (up to and including version 1.0.15) fails to implement authorization checks on the userback_get_json function. This allows authenticated users with Subscriber-level privileges to access sensitive plugin configuration data and the content of private or draft posts via an AJAX request.

Exploit Outline

To exploit this vulnerability, an attacker must first authenticate as a Subscriber. They need to retrieve a valid AJAX nonce, which is typically found in localized JavaScript variables (e.g., userback_settings) on the site's frontend. The attacker then submits a POST request to /wp-admin/admin-ajax.php with the action parameter set to 'userback_get_json' and the extracted nonce. The resulting JSON response contains the Userback API access token and the content of all posts, regardless of their visibility status (private or draft).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.