User Feedback Vulnerability – Unauthenticated Stored Cross-Site Scripting – CVE-2024-0903 | WordPress Plugin Vulnerability Report

Plugin Name: User Feedback

Key Information:

  • Software Type: Plugin
  • Software Slug: userfeedback-lite
  • Software Status: Active
  • Software Author: smub
  • Software Downloads: 1,054,695
  • Active Installs: 200,000
  • Last Updated: February 21, 2024
  • Patched Versions: 1.0.14
  • Affected Versions: <= 1.0.13

Vulnerability Details:

  • Name: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.0.13 - Unauthenticated Stored Cross-Site Scripting
  • Title: Unauthenticated Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-0903
  • CVSS Score: 5.4 (Medium)
  • Publicly Published: February 21, 2024
  • Researcher: Grzegorz Niedziela
  • Description: The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_submitted' 'link' value in all versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the feedback submission page that will execute when a user clicks the link, while also pressing the command key.


The User Feedback plugin for WordPress has a vulnerability in versions up to and including 1.0.13 that allows unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks a specially crafted link. This vulnerability has been patched in version 1.0.14.

Detailed Overview:

Researcher Grzegorz Niedziela disclosed an unauthenticated stored cross-site scripting (XSS) vulnerability in the User Feedback plugin. Due to insufficient sanitization of user-supplied input and lack of output escaping in the plugin code, an attacker can store malicious JavaScript payloads when submitting feedback that will execute when clicked by an admin or other users. Specifically, the attacker can supply malicious input in the "page_submitted" parameter's "link" value, which will render unescaped on the feedback listing page. When a user clicks this link while pressing the command key, the XSS payload executes in the victim's browser. This could be leveraged for session hijacking, UI redressing, phishing, or other attacks. The vulnerability is patched by properly sanitizing and escaping untrusted data before outputting it.

Advice for Users:

  1. Immediate Action: Update to version 1.0.14 as soon as possible.
  2. Check for Signs of Compromise: Review recent feedback submissions in your dashboards for suspicious links or scripts. Clear browser cookies and cache.
  3. Alternate Plugins: Consider a static site feedback form or third party services as alternatives.
  4. Stay Updated: Enable automatic background updates in WordPress to ensure plugins stay updated.


This vulnerability enabled serious attacks without authentication due to coding oversights. The quick patch release shows the plugin developers are acting responsibly to fix security issues. Users should always ensure they run updated versions of software to stay protected.


Detailed Report

Keeping your WordPress website secure should be a top priority - but with so many plugins and moving parts, it can be easy to miss a critical update. Unfortunately, that could leave your site exposed, as a recently disclosed vulnerability in a popular user feedback plugin illustrates.

The User Feedback plugin, with over 1 million downloads and 200,000 active installs, allows website owners to easily create surveys, polls, and feedback forms. It's a useful tool for customer insight. However, researchers recently revealed that versions up to and including 1.0.13 contain an unauthenticated stored cross-site scripting (XSS) vulnerability (tracked as CVE-2024-0903).

This means that any external party could potentially submit a carefully crafted feedback form that executes malicious JavaScript when clicked. No authentication is required for exploitation. Successful attacks could lead to full site takeover, admin access, data theft, UI redressing for phishing, or other impacts - depending on the payload.

The specifics: insufficient sanitization of the "page_submitted" parameter's "link" value allows scripts to be injected and stored. When administrators or users later click affected links with the command key pressed, the scripts trigger due to the lack of output escaping.

Remediating this Security Risk

The good news is that updating to version 1.0.14 of User Feedback resolves this pressing vulnerability. Auto-update plugins like Wordfence will also deploy fixes automatically once they are released publically.

However, this issue should serve as a wake-up call for businesses running on WordPress. Developers can and do introduce dangerous oversights, and public disclosure puts sites at mass-exploitation risk. Yet simple software updates mitigate known threats.

We recommend immediately updating User Feedback if used, auditing all plugins/themes for missed security patches, and enabling auto-update functionality where possible. For further protection consider leveraging tools like Wordfence forblocking known bad requests. And never hesitate to contact us with plugin update help or a website audit/hardening if needed!

This proactive security hygiene virtually eliminates risk from disclosed flaws in third-party add-ons down the line.

The Risks of Delayed Updates

In fact, User Feedback saw 3 other vulnerabilities introduced since September 2023 alone. This history of multiple sensitivities makes timely patching all the more critical. Once public, flaws can spread through automated mass-scanners seeking easy exploit targets. Don't be low hanging fruit!

While software will always have defects, keeping current with maintenance releases ensures you reap the benefits of an add-on without undue website risk. As threats evolve, taking a proactive approach to security allows business owners using WordPress to focus on their core competencies - not chasing down plugin fixes

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

User Feedback Vulnerability – Unauthenticated Stored Cross-Site Scripting – CVE-2024-0903 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment