Medium severity4.3NVD Advisory· Published Dec 13, 2025· Updated Apr 15, 2026

CVE-2025-14540

Description

The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status.

Affected products

WordPress/Userbackinferred2 versions
<=1.0.15+ 1 more
- (no CPE)range: <=1.0.15
- (no CPE)range: <=1.0.15
Package: https://wordpress.org/plugins/userback

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/userback/tags/1.0.15/index.phpnvd
www.wordfence.com/threat-intel/vulnerabilities/id/1add8693-20df-431e-ad3b-b23322f1fa03nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000