{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68496", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-19T10:16:41.921Z", "datePublished": "2025-12-24T12:31:19.688Z", "dateUpdated": "2026-04-28T16:14:28.673Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "userfeedback-lite", "product": "User Feedback", "vendor": "Syed Balkhi", "versions": [{"changes": [{"at": "1.10.1", "status": "unaffected"}], "lessThanOrEqual": "1.10.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:23:13.643Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.<p>This issue affects User Feedback: from n/a through <= 1.10.0.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.0."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.673Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress User Feedback plugin <= 1.10.0 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:33:54.444203Z", "id": "CVE-2025-68496", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:33:57.057Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:33:54.444203Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-24T19:13:01.893Z"}}], "cna": {"title": "WordPress User Feedback plugin <= 1.10.0 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Syed Balkhi", "product": "User Feedback", "versions": [{"status": "affected", "changes": [{"at": "1.10.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.10.0"}], "packageName": "userfeedback-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:23:13.643Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.<p>This issue affects User Feedback: from n/a through <= 1.10.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:56.476Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68496", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:33:57.057Z", "dateReserved": "2025-12-19T10:16:41.921Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-24T12:31:19.688Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.0."}], "id": "CVE-2025-68496", "lastModified": "2026-04-27T19:16:25.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-24T13:16:20.043", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:30:03.239617+00:00", "value": {"mitigation_remediation": ["Upgrade to User Feedback plugin version 1.10.1 or later to eliminate the injection flaw.", "If upgrading is not immediately possible, disable or uninstall the plugin to remove the vulnerable code path.", "Apply database best\u2011practice measures such as ensuring the database user has the least privileges required and that other WordPress components use parameterized queries or prepared statements to mitigate similar risks."], "summary": {"action": "Immediate Patch", "impact": "Blind SQL Injection via the User Feedback plugin"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress User Feedback plugin from Syed Balkhi. All installations using version 1.10.0 or earlier are impacted.", "description_and_impact": "The User Feedback plugin contains an SQL Injection vulnerability caused by improper neutralization of special characters in an SQL command. A malicious actor can send crafted input that results in blind SQL injection, allowing them to execute arbitrary SQL queries through the plugin\u2019s interface. This can lead to unauthorized data disclosure, modification, or deletion within the WordPress database, potentially compromising site integrity and confidentiality.", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high severity with potential for significant impact if exploited. EPSS suggests a low likelihood of current exploitation (<1%), and the flaw is not listed in the CISA KEV catalog. The attack vector is likely through web traffic to the plugin\u2019s data entry points, where user-supplied input is used without proper sanitization. Although exploitation is presently rare, the effect could be serious if an attacker entices users or if automated attacks succeed."}}}}, "created": "2025-12-29T22:34:23.506697+00:00", "updated": "2026-04-28T18:30:37.346401+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}