A critical vulnerability has been identified in the User Feedback WordPress plugin, which could allow an unauthenticated attacker to access and manipulate the website's database. Successful exploitation could lead to a complete compromise of sensitive data stored in the database, including user information and other confidential details. Due to the high severity of this flaw, immediate action is required to prevent a potential data breach.

The vulnerability is a Blind SQL Injection, categorized under CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The application fails to properly sanitize user-supplied input before incorporating it into an SQL query. An unauthenticated remote attacker can craft a malicious request containing specially formatted SQL commands, which are then executed by the database. Because this is a "blind" SQL injection, the attacker does not receive direct results from the database but can infer data by observing the application's responses to different queries, such as time delays or boolean (true/false) changes in the response page.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe impact on the business, leading to a significant data breach. An attacker could exfiltrate, modify, or delete all data within the application's database, including user credentials, personal identifiable information (PII), and other sensitive business data. This could result in substantial reputational damage, loss of customer trust, regulatory fines (e.g., under GDPR or CCPA), and potential financial loss associated with incident response and recovery.

Immediate Action: Immediately update the User Feedback plugin to the latest version available (greater than 1.10.1), which contains the patch for this vulnerability. After updating, administrators should monitor for any signs of exploitation attempts by reviewing web server and database access logs for suspicious activity.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs (e.g., Apache, Nginx) and database logs for requests containing SQL keywords such as SELECT, UNION, SLEEP, or boolean logic like ' OR '1'='1'.
• Web Application Firewall (WAF): Ensure a WAF is in place with a ruleset designed to detect and block SQL injection attack patterns. Monitor WAF alerts for any triggers related to this vulnerability.
• Performance Monitoring: Be alert to unusual database load or abnormally slow page load times, as these can be indicators of a time-based Blind SQL Injection attack in progress.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with strict SQL injection filtering rules to block malicious requests before they reach the application.
• Restrict access to the application or temporarily disable the User Feedback plugin until it can be safely updated.
• Enforce the principle of least privilege for the database user account connected to the application to limit the scope of potential damage.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that organizations immediately apply the vendor-supplied patch to all affected systems. This vulnerability represents a high risk of a full database compromise. While it is not currently listed on the CISA KEV catalog, its critical nature makes it a prime candidate for future inclusion and a priority target for attackers. If patching cannot be performed immediately, the compensating controls listed above, particularly a WAF, should be implemented as a matter of urgency.