CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address.
Explanation of Vulnerability in Simple Terms
UserFeedback versions 1.8.0 and earlier lack proper access controls on sensitive endpoints. An attacker can read limited data without authentication by making direct requests to the application. The vulnerability requires no user interaction and affects confidentiality only. Update to a version newer than 1.8.0 to remediate.
What an attacker can do
Read limited sensitive data without logging in.
Potential impact on your site
Unauthorized users can access some non-public information stored in the application.
Conditions required to exploit
Network access to the application; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
