PT-2025-51081 · WordPress · Userback
Jason Carle
·
Published
2025-12-13
·
Updated
2025-12-13
·
CVE-2025-14540
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Userback plugin for WordPress versions through 1.0.15
Description
The Userback plugin for WordPress has a flaw that allows unauthorized access to data. This is due to a missing capability check within the
userback get json function. Authenticated attackers with Subscriber-level access or higher can extract the plugin’s configuration data, including the Userback API access token and the contents of site posts and pages, even those with private or draft status.Recommendations
Update the Userback plugin to a version newer than 1.0.15.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Userback