Executive Summary

CVE-2026-39476 is a Broken Access Control vulnerability found in the WordPress User Feedback Plugin versions up to and including 1.10.1. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions.

This flaw allows unprivileged users, such as subscribers or developers, to perform actions that should be restricted to higher privileged roles.

It is classified under the OWASP Top 10 category A1: Broken Access Control and has a low severity impact with a CVSS score of 4.3.

The vulnerability was reported in early 2026 and is fixed in version 1.11.0 and later.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows users with low-level privileges (like subscribers) to escalate their privileges and perform actions reserved for higher privileged roles.

Although it has a low severity score and is unlikely to be exploited in targeted attacks, it can be used in mass-exploit campaigns affecting thousands of websites indiscriminately.

If exploited, it could lead to unauthorized changes or access within the affected WordPress plugin, potentially compromising the integrity or confidentiality of user feedback data.

Users are strongly advised to update to version 1.11.0 or newer to mitigate this risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a Broken Access Control issue in the WordPress User Feedback Plugin versions up to 1.10.1, allowing unprivileged users to perform actions reserved for higher privileged roles.

Detection typically involves verifying the plugin version installed on your WordPress site and checking for unauthorized privilege escalations or actions performed by subscriber-level users.

Since the vulnerability arises from missing authorization checks in plugin functions, you can detect it by:

• Checking the installed plugin version to see if it is 1.10.1 or earlier.
• Reviewing WordPress user roles and permissions for unexpected privilege escalations.
• Monitoring logs for suspicious actions performed by low-privilege users.

Specific commands are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to update the WordPress User Feedback Plugin to version 1.11.0 or later, where this vulnerability is fixed.

Additional mitigation measures include:

• Restricting subscriber-level user privileges to minimize potential exploitation.
• Using security plugins or services such as Patchstack that offer auto-updates and rapid protection for vulnerable plugins.

Prompt patching is strongly advised since the vulnerability can be exploited by users with only subscriber-level privileges.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a Broken Access Control issue that allows unauthorized privilege escalation in the WordPress User Feedback Plugin. Such access control weaknesses can potentially lead to unauthorized access to sensitive user data or administrative functions.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical components of these regulations.

Therefore, if exploited, this vulnerability could lead to non-compliance with regulations that require strict access controls and protection of personal or sensitive data.

Useful 0 Not Useful 0