CVE-2025-10694 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin 'User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds' developed by smub. The flaw exists due to the absence of a capability check in the 'maybe_load_onboarding_wizard' function across all versions up to 1.8.0. This missing authorization allows unauthenticated attackers to directly access the onboarding wizard page, which is intended to be restricted to authorized users only. Through this page, attackers can view sensitive configuration information, notably the administrator's email address, which is a critical piece of information that can be leveraged for further attacks such as phishing or targeted social engineering. The vulnerability has a CVSS v3.1 base score of 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts confidentiality only (C:L). There is no impact on integrity or availability. No patches or fixes have been linked yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability is significant because it exposes sensitive configuration data without requiring authentication, increasing the risk profile of affected WordPress sites using this plugin.

For European organizations, the primary impact of this vulnerability is the unauthorized disclosure of administrator email addresses and potentially other configuration details. This information leakage can facilitate targeted phishing campaigns, spear-phishing, or social engineering attacks against administrators or IT personnel, increasing the risk of credential compromise or further exploitation. Although the vulnerability does not directly allow modification or disruption of services, the indirect consequences of compromised credentials or successful phishing can lead to broader security breaches. Organizations relying on this plugin for customer feedback or surveys may face reputational damage if attackers leverage exposed information for malicious campaigns. The medium severity rating indicates a moderate risk, but the ease of exploitation (no authentication or user interaction required) elevates the urgency for mitigation. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the potential attack surface is significant.

European organizations should immediately verify if their WordPress installations use the 'User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds' plugin, particularly versions up to 1.8.0. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate exposure. If disabling is not feasible, restrict access to the onboarding wizard page via web application firewall (WAF) rules or server-level access controls, limiting access to trusted IP addresses or authenticated users only. Monitoring web server logs for unauthorized access attempts to the onboarding wizard endpoint can help detect exploitation attempts. Additionally, organizations should educate administrators about phishing risks and implement multi-factor authentication (MFA) to reduce the impact of potential credential compromise. Regularly updating all WordPress plugins and themes and subscribing to vulnerability advisories will help maintain security posture. Once a patch becomes available, prioritize its deployment across all affected systems.