Userback WordPress Plugin Missing Authorization Vulnerability Allows Data Exposure

Vulnerability

A vulnerability exists in the Userback plugin for WordPress, in all versions through 1.0.15, due to a lack of proper capability checks in the 'userback_get_json' function. This flaw enables authenticated attackers with Subscriber-level access or higher to access and extract sensitive plugin configuration data. The exposed data includes the Userback API access token and content from the site's posts and pages, even those marked as private or in draft status.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive plugin configuration data, including the Userback API access token and private or draft content from the site's posts and pages.

Added: Dec 13, 2025, 4:49 PM

Updated: Dec 13, 2025, 4:49 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.1

remediation

0.0

relevance

1.4

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.1

remediation

0.0

relevance

1.4

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Userback WordPress Plugin Missing Authorization Vulnerability Allows Data Exposure

Vulnerability

Impact

Affected Products

Userback

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating