WordPress Plugin Vulnerability Report: User Feedback – Unauthenticated Stored Cross-Site Scripting – CVE-2023-39308

Plugin Name: User Feedback

Key Information:

  • Software Type: Plugin
  • Software Slug: userfeedback-lite
  • Software Status: Active
  • Software Author: smub
  • Software Downloads: 348,588
  • Active Installs: 100,000
  • Last Updated: September 7, 2023
  • Patched Versions: 1.0.8
  • Affected Versions: <=1.0.7

Vulnerability Details:

  • Name: User Feedback <= 1.0.7 - Unauthenticated Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-39308
  • CVSS Score: 7.2 (High)
  • Publicly Published: September 4, 2023
  • Researcher: Revan Arifio
  • Description: The User Feedback plugin for WordPress is vulnerable to Stored Cross-Site Scripting via user responses for surveys in versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping.


The User Feedback plugin for WordPress has a vulnerability in versions up to and including 1.0.7 that exposes users to Stored Cross-Site Scripting risks. This vulnerability has been patched in version 1.0.8.

Detailed Overview:

The vulnerability was discovered by researcher Revan Arifio and has been publicly reported since September 4, 2023. Specifically, the vulnerability exists in the handling of user responses for surveys. Due to a lack of sufficient input sanitization and output escaping, unauthenticated attackers can inject arbitrary web scripts into pages. These scripts would then execute whenever a user accesses an injected page, thereby compromising the site and potentially exposing sensitive data.

The CVSS (Common Vulnerability Scoring System) score for this vulnerability is 7.2, which is categorized as High, indicating that the vulnerability poses a substantial risk to affected installations.

Risks of Vulnerability:

  • Unauthorized code execution on client-side
  • Data exposure
  • Unauthorized access to sensitive user data

Vulnerability Remediation: The plugin developers have promptly addressed this issue and released a patch in version 1.0.8.

Advice for Users:

Immediate Action: Users are encouraged to immediately update to version 1.0.8 to mitigate the risks associated with this vulnerability.

Check for Signs of Vulnerability: Monitor your website logs and user activity for any unauthorized or suspicious activities that could indicate a compromise.

Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.

Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.


The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.0.8 or later to secure their WordPress installations.


Detailed Report

Staying secure online is a constant battle, especially for small business owners juggling a million tasks. As WordPress users, we rely on plugins to add functionality to our sites, often without realizing the potential vulnerabilities they introduce. Unfortunately, I have some pressing news about a serious flaw in a widely used plugin - User Feedback - that requires immediate action to protect your site.

User Feedback, with over 100,000 active installs, allows site owners to easily create surveys and polls. However, researchers recently disclosed a major vulnerability that impacts all versions up to and including 1.0.7. Hackers can exploit this flaw to inject malicious scripts into your site without authentication. When users load a compromised page, it triggers the script to run, exposing sensitive data or enabling attacks.

According to the CVSS score, this vulnerability is categorized as high risk. Some potential impacts include data theft, unauthorized access to admin panels, and complete site takeovers. Making matters worse, User Feedback has faced security issues in the past, putting extra scrutiny on this new flaw.

While staying on top of vulnerabilities feels impossible, immediate action is required in this case. Users must update to version 1.0.8 to resolve the issue. It's also wise to monitor logs closely for suspicious activity and consider alternate plugins. The developers issued a prompt patch, but the onus falls on us to implement it.

I know how hard it is to keep up with security as a small business owner. My goal is to provide actionable advice to help protect your livelihood. Heeding reports and upgrading promptly lessens the chances of disaster striking. Let's ensure our sites stay safe and secure.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report: User Feedback – Unauthenticated Stored Cross-Site Scripting – CVE-2023-39308 FAQs

Leave a Comment