CVE-2025-14540

Description

The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugins configuration data including the Userback API access token and sites posts/pages contents, including those that have private and draft status.