{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39476", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:42:07.235Z", "datePublished": "2026-04-08T08:30:09.401Z", "dateUpdated": "2026-04-13T16:32:39.833Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "userfeedback-lite", "product": "User Feedback", "vendor": "Syed Balkhi", "versions": [{"changes": [{"at": "1.11.0", "status": "unaffected"}], "lessThanOrEqual": "1.10.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.008Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects User Feedback: from n/a through <= 1.10.1.</p>"}], "value": "Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:09.401Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T16:32:16.076585Z", "id": "CVE-2026-39476", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:32:39.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T16:32:16.076585Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:32:12.368Z"}}], "cna": {"title": "WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Syed Balkhi", "product": "User Feedback", "versions": [{"status": "affected", "changes": [{"at": "1.11.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.10.1"}], "packageName": "userfeedback-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:57.008Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects User Feedback: from n/a through <= 1.10.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:09.401Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39476", "state": "PUBLISHED", "dateUpdated": "2026-04-13T16:32:39.833Z", "dateReserved": "2026-04-07T10:42:07.235Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:09.401Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1."}], "id": "CVE-2026-39476", "lastModified": "2026-04-13T17:16:29.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:22.393", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.10.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "User Feedback", "source": "cna", "vendor": "Syed Balkhi"}, "product": "user_feedback", "vendor": "syed_balkhi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T19:09:45.723896+00:00", "value": {"mitigation_remediation": ["Update the User Feedback plugin to the latest available version that includes the fix for the missing authorization issue.", "If an update is not immediately available, restrict access to the plugin\u2019s administrative URLs by configuring capability requirements or network\u2011level controls to prevent unauthorized users from invoking the plugin functionality.", "Verify that all user roles have appropriate permission sets and that no customizations have removed required capability checks for the plugin."], "summary": {"action": "Patch Now", "impact": "Unauthorized Access via Missing Authorization"}, "threat_synthesis": {"affected_systems": "Installations of the User Feedback plugin from Syed Balkhi that are version 1.10.1 or earlier are vulnerable. Any user running one of these releases may be affected until the plugin is updated to a fixed version.", "description_and_impact": "The flaw is an access\u2011control weakness that lets an attacker bypass the plugin\u2019s intended restrictions. By exploiting the missing authorization check, an attacker can view or modify the plugin\u2019s data without the required privileges. This is a classic example of the CWE\u2011862 vulnerability type.", "risk_and_exploitability": "The vulnerability carries a severity score of 4.3, indicating a moderate risk. Current indicators show that the likelihood of exploitation is low, with reported exploit attempts below 1 percent. It is not included in the CISA Known Exploited Vulnerabilities catalog, suggesting no widespread exploitation has been observed to date. The likely attack path involves the plugin\u2019s administrative interfaces or exposed endpoints, where a request that does not meet the required authorization can be sent. The impact is limited to the data and functions of the plugin, but could provide a foothold for further privilege escalation if sensitive information is accessed or if the attacker can manipulate settings that affect the wider WordPress installation."}}}}, "created": "2026-04-08T19:30:50.808843+00:00", "updated": "2026-04-14T16:40:07.861385+00:00", "vendors": ["syed_balkhi", "syed_balkhi$PRODUCT$user_feedback", "wordpress", "wordpress$PRODUCT$wordpress"]}