The vulnerability identified as CVE-2025-10694 affects the WordPress plugin 'User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds' developed by smub. The root cause is a missing authorization check (CWE-862) in the function 'maybe_load_onboarding_wizard', which is responsible for loading the onboarding wizard page. Because this function does not verify user capabilities, unauthenticated attackers can access this page directly. This unauthorized access allows attackers to view sensitive configuration information, including the administrator's email address, which is typically protected. The vulnerability affects all plugin versions up to and including 1.8.0. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality only (C:L), without affecting integrity or availability. Although no known exploits have been reported in the wild, the exposure of admin email addresses can facilitate targeted phishing campaigns or further reconnaissance. The lack of a patch at the time of publication means that users must rely on mitigating controls or plugin updates once available. This vulnerability highlights the importance of proper authorization checks in web applications, especially plugins that handle administrative functions.

For European organizations, the primary impact of this vulnerability is the unauthorized disclosure of administrator email addresses and potentially other configuration details. This information leakage can enable attackers to craft targeted phishing or spear-phishing attacks, increasing the risk of credential compromise or social engineering. While the vulnerability does not directly allow system compromise or data manipulation, it lowers the barrier for subsequent attacks. Organizations running WordPress sites with this plugin are at risk of reputational damage if attackers leverage the disclosed information for malicious campaigns. Additionally, organizations in regulated sectors (e.g., finance, healthcare) may face compliance issues if personal data is exposed or if phishing leads to data breaches. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the likelihood of scanning and exploitation attempts. European entities with a strong online presence or customer-facing WordPress sites are particularly vulnerable to indirect impacts stemming from this information disclosure.

Since no official patch is currently available, European organizations should implement the following mitigations: 1) Immediately audit WordPress sites to identify installations of the affected plugin and restrict access to the onboarding wizard page via web server configuration (e.g., IP whitelisting or HTTP authentication). 2) Disable or uninstall the vulnerable plugin if it is not essential to reduce the attack surface. 3) Monitor web server logs for unusual access patterns targeting the onboarding wizard URL to detect potential exploitation attempts. 4) Implement email filtering and user awareness training to mitigate risks from phishing attacks leveraging disclosed administrator emails. 5) Once a patch or updated plugin version is released, prioritize prompt updates. 6) Employ Web Application Firewalls (WAFs) with custom rules to block unauthorized access to the vulnerable endpoint. 7) Review and harden WordPress user roles and permissions to minimize exposure of sensitive administrative functions. These steps go beyond generic advice by focusing on immediate containment and detection until a patch is available.