CVE-2025-10694: 
WordPress vulnerability analysis and mitigation

The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress contains a vulnerability (CVE-2025-10694) discovered on October 24, 2025. The vulnerability affects all versions up to and including 1.8.0, and is characterized by a missing capability check in the maybe_load_onboarding_wizard function. This security flaw has been assigned a CVSS v3.1 base score of 5.3 (Medium) (Wordfence, NVD).

The vulnerability stems from a missing authorization check in the maybe_load_onboarding_wizard function. The security flaw is classified as CWE-862 (Missing Authorization) and has been assigned a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Rapid7).

The vulnerability allows unauthenticated attackers to access the onboarding wizard page and view sensitive configuration information, including the administrator email address. This information disclosure could potentially be used as a stepping stone for further attacks (NVD).

Website administrators running the affected versions of the User Feedback plugin should update to a version newer than 1.8.0 which contains the security fix. The fix implements proper capability checks in the maybe_load_onboarding_wizard function (WordPress Plugin).