{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39475", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:42:07.235Z", "datePublished": "2026-04-08T08:30:09.133Z", "dateUpdated": "2026-04-08T08:30:09.133Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "userfeedback-lite", "product": "User Feedback", "vendor": "Syed Balkhi", "versions": [{"changes": [{"at": "1.11.0", "status": "unaffected"}], "lessThanOrEqual": "1.10.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:51.014Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.<p>This issue affects User Feedback: from n/a through <= 1.10.1.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:09.133Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability-2?_s_id=cve"}], "title": "WordPress User Feedback plugin <= 1.10.1 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1."}], "id": "CVE-2026-39475", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:22.257", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.10.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "User Feedback", "source": "cna", "vendor": "Syed Balkhi"}, "product": "user_feedback", "vendor": "syed_balkhi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:27:08.821941+00:00", "value": {"mitigation_remediation": ["Upgrade the User Feedback plugin to version 1.10.2 or later if available", "If an upgrade is not possible, contact the vendor for an official patch or disable the plugin until a patch is released", "Implement a WAF rule set to block common SQL injection patterns against the plugin\u2019s endpoints", "Audit database tables for unauthorized data changes and restore from backups if necessary", "Monitor application logs for suspicious query activity"], "summary": {"action": "Update Plugin", "impact": "SQL Injection permitting data exposure or modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Syed Balkhi User Feedback plugin for WordPress in versions up to and including 1.10.1. All deployments using these or earlier versions are potentially exposed.", "description_and_impact": "Improper handling of user input in the WordPress User Feedback plugin allows a blind SQL injection. The vulnerability enables an attacker to execute arbitrary SQL commands against the database, potentially exposing sensitive information, modifying or deleting data, and compromising the integrity and confidentiality of the site.", "risk_and_exploitability": "This is a remote web\u2011based vulnerability that can be exploited by an attacker who can send crafted requests to the plugin\u2019s endpoints. While a CVSS score is not provided in the data, SQL injection of this nature is typically considered high severity. No EPSS score or KEV listing is available, which means no known mass exploitation has been reported, but the attack vector remains realistic given the widespread use of the plugin."}}}}, "created": "2026-04-08T19:30:51.902404+00:00", "updated": "2026-04-08T19:43:20.700538+00:00", "vendors": ["syed_balkhi", "syed_balkhi$PRODUCT$user_feedback", "wordpress", "wordpress$PRODUCT$wordpress"]}