The vulnerability identified as CVE-2025-10694 affects the WordPress plugin 'User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds' developed by smub. The root cause is a missing capability check in the 'maybe_load_onboarding_wizard' function, which is responsible for loading the onboarding wizard page. Because this function lacks proper authorization controls, unauthenticated attackers can remotely access this page. This unauthorized access allows attackers to view sensitive configuration information, notably the administrator's email address, which is typically protected. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to enforce proper access control. The issue affects all plugin versions up to and including 1.8.0. The CVSS 3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and limited confidentiality impact. Although the vulnerability does not allow modification or disruption of the system, the exposure of admin email addresses can aid attackers in crafting targeted attacks such as phishing or spear-phishing campaigns. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (October 25, 2025).

The primary impact of this vulnerability is the unauthorized disclosure of sensitive configuration information, specifically the administrator's email address. This information leakage can facilitate further attacks, including targeted phishing, social engineering, or reconnaissance activities by malicious actors. While the vulnerability does not directly compromise system integrity or availability, the exposure of admin contact details can lead to indirect compromises if attackers use this information to gain trust or deliver malicious payloads. Organizations relying on this plugin may face increased risk of social engineering attacks against their administrators, potentially leading to credential theft or unauthorized access through secondary attack vectors. The vulnerability's ease of exploitation (no authentication or user interaction required) increases its risk profile, especially for websites with high visibility or critical administrative roles. However, the lack of direct code execution or data modification limits the immediate technical damage. The absence of known exploits in the wild reduces immediate urgency but does not eliminate future risk.

To mitigate this vulnerability, organizations should first verify if they are using the affected plugin versions (up to and including 1.8.0). Since no official patch links are currently available, administrators should consider the following specific actions: 1) Temporarily disable or uninstall the vulnerable plugin until a patch is released. 2) Implement web application firewall (WAF) rules to restrict access to the onboarding wizard URL or related endpoints, allowing only trusted IP addresses or authenticated users. 3) Employ security plugins or custom code to enforce capability checks on the 'maybe_load_onboarding_wizard' function or its URL path, ensuring only authorized users can access it. 4) Monitor web server logs for unusual access attempts to the onboarding wizard page to detect potential exploitation attempts. 5) Educate administrators about phishing risks, especially since their email addresses may be exposed, and encourage the use of multi-factor authentication (MFA) to reduce the impact of credential compromise. 6) Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 7) Consider isolating or sandboxing the WordPress environment to limit exposure of sensitive configuration data.