NuytsTech Security

CVE-2025-14540

by ·

The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin’s configuration data including the Userback API access token and site’s posts/pages contents, including those that have private and draft status.

More information : https://plugins.trac.wordpress.org/browser/userback/tags/1.0.15/index.php#L148

Tags: