Question 1

Is my site at risk if I'm using an older version of the User Feedback plugin?

Accepted Answer

Is my site at risk if I'm using an older version of the User Feedback plugin?

Yes, your site is at significant risk if running User Feedback version 1.0.13 or earlier. These contain a dangerous vulnerability allowing complete site takeover through stored cross-site scripting attacks. Updating to version 1.0.14 patches this security flaw. All users of this plugin should update immediately to protect their websites.

Question 2

How serious is this User Feedback plugin vulnerability?

Accepted Answer

How serious is this User Feedback plugin vulnerability?

This vulnerability is extremely serious, with a CVSS severity score of 5.4 out of 10. Successful exploitation could lead to data theft, full admin access, UI redressing for phishing campaigns, user session hijacks, or injection of malware payloads. Since no login is required to submit the feedback form, any external party could attempt attacks.

Question 3

Why wasn't this vulnerability discovered during initial plugin development?

Accepted Answer

Why wasn't this vulnerability discovered during initial plugin development?

Like all software, vulnerabilities are often not discovered until code is deployed and scrutinized by security researchers or black box testing. The developers likely did not realize the plugin was failing to properly sanitize and escape user-supplied input before rendering pages. Now patched, it underscores the need for ongoing audits.

Question 4

How difficult is it for attackers to exploit this stored XSS attack?

Accepted Answer

How difficult is it for attackers to exploit this stored XSS attack?

This vulnerability is unfortunately quite easy for external attackers to exploit, requiring just a basic understanding of cross-site scripting. Hundreds of thousands of sites were likely left exposed before disclosure. Widespread scanning tools also lower the barrier to mass exploitation once bugs become public.

Question 5

Should I just remove the User Feedback plugin to stay safe?

Accepted Answer

Should I just remove the User Feedback plugin to stay safe?

You do not necessarily need to fully remove the plugin if you find it useful. Simply updating to the latest patched release (version 1.0.14) resolves the vulnerability without losing functionality. As always, limiting plugins and themes to reputable sources helps reduce risk.

Question 6

What security precautions should I take in addition to updating User Feedback?

Accepted Answer

What security precautions should I take in addition to updating User Feedback?

Along with updating User Feedback, this is an excellent time to audit all your plugins, themes, and WordPress core software for any missed security patches. Enable auto-background updates on WordPress and plugins when available to stay current. Scanners like Wordfence also help block exploit attempts.

Question 7

Are other plugins likely vulnerable too?

Accepted Answer

Are other plugins likely vulnerable too?

Unfortunately yes - vulnerabilities are rather common in WordPress plugins and themes given their broad capabilities touch sensitive areas. The wider community orientation can also lead to coding oversights. Other plugins may have dangerous disclosed bugs, which is why staying aggressively updated is so critical.

Question 8

Should I be concerned over the 3 prior User Feedback flaws too?

Accepted Answer

Should I be concerned over the 3 prior User Feedback flaws too?

The 3 other vulnerabilities patched in User Feedback since September 2023 certainly raise some eyebrows. However, the proper security response from developers to address past issues shows accountability. Running the latest plugin version protects against all documented bugs. Still, consider alternatives if ongoing concerns around the code quality.

Question 9

What if I need help updating plugins or hardening site security?

Accepted Answer

What if I need help updating plugins or hardening site security?

We fully understand that hardcore website security can be difficult and time consuming, especially for non-technical users. Please don't hesitate to reach out if you need any help upgrading plugins like User Feedback, auditing site security, enabling automatic background updates, leveraging scanners like Wordfence, or further hardening your WordPress site against threats. We offer affordable website maintenance packages to keep your site smoothly secured.

Question 10

Who disclosed this User Feedback plugin vulnerability initially?

Accepted Answer

Who disclosed this User Feedback plugin vulnerability initially?

This stored cross-site scripting vulnerability was disclosed by Polish security researcher Grzegorz Niedziela on February 21st, 2024. The bug received the ID of CVE-2024-0903 as part of formal tracking. Responsible public disclosure of flaws allows developers to address issues without mass attacks in the wild.

CVE-2024-0903

User Feedback Vulnerability – Unauthenticated Stored Cross-Site Scripting – CVE-2024-0903 | WordPress Plugin Vulnerability Report

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy