CVE-2025-10694: CWE-862 Missing Authorization in smub UserFeedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address.
AI Analysis
Technical Summary
CVE-2025-10694 is a missing authorization vulnerability (CWE-862) in the User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds WordPress plugin by smub. The vulnerability exists because the function `maybe_load_onboarding_wizard` does not perform a capability check, allowing unauthenticated users to access the onboarding wizard page. This exposure reveals configuration information, including the administrator email address, potentially aiding further reconnaissance. The issue affects all plugin versions up to 1.8.0. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity and no privileges required, resulting in limited confidentiality impact without integrity or availability effects.
Potential Impact
An unauthenticated attacker can access the onboarding wizard page and view sensitive configuration information such as the administrator email address. This exposure could facilitate targeted phishing or social engineering attacks but does not directly allow system compromise or data modification. There is no indication of impact on integrity or availability. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is indicated in the provided data, users should monitor the vendor's communications for updates. Until a fix is available, restricting access to the onboarding wizard page through web server configuration or other access controls may reduce exposure.
CVE-2025-10694: CWE-862 Missing Authorization in smub UserFeedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Description
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-10694 is a missing authorization vulnerability (CWE-862) in the User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds WordPress plugin by smub. The vulnerability exists because the function `maybe_load_onboarding_wizard` does not perform a capability check, allowing unauthenticated users to access the onboarding wizard page. This exposure reveals configuration information, including the administrator email address, potentially aiding further reconnaissance. The issue affects all plugin versions up to 1.8.0. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity and no privileges required, resulting in limited confidentiality impact without integrity or availability effects.
Potential Impact
An unauthenticated attacker can access the onboarding wizard page and view sensitive configuration information such as the administrator email address. This exposure could facilitate targeted phishing or social engineering attacks but does not directly allow system compromise or data modification. There is no indication of impact on integrity or availability. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is indicated in the provided data, users should monitor the vendor's communications for updates. Until a fix is available, restricting access to the onboarding wizard page through web server configuration or other access controls may reduce exposure.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-09-18T15:41:28.436Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68fc626907185a1a52fd75f3
Added to database: 10/25/2025, 5:38:49 AM
Last enriched: 4/9/2026, 3:49:22 PM
Last updated: 5/10/2026, 1:19:31 PM
Views: 197
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.