Unauthorized Data Access in User Feedback Plugin for WordPress
CVE-2025-10694

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: User Feedback – Create Interactive Feedback Form, User Surveys, And Polls In Seconds
Vendor: CVE Published:; 25 October 2025

What is CVE-2025-10694?

The User Feedback plugin for WordPress is affected by a security flaw that allows unauthorized users to access sensitive configuration information. This vulnerability arises from a lack of capability checks on the maybe_load_onboarding_wizard function in all versions up to and including 1.8.0. As a result, unauthenticated attackers can directly navigate to the onboarding wizard page, potentially exposing details such as the administrator's email address, which heightens the risk of further attacks.

Affected Version(s)

User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds * <= 1.8.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3378233/user...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2025
Vulnerability Reserved
Sep 18, 2025

Credit

Nguyen Ngoc Quang Bach

JSON