CVE-2026-39476
WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerabilityMissing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.
We have discovered 1,670 live websites that are affected by CVE-2026-39476.
Affected Software
| Product |  Userfeedback Lite |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,670 live websites (86% of Userfeedback Lite install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 20 versions ( 91% of all versions) |
Details
- Published - Apr 8, 2026
- Updated - Apr 29, 2026
Credits
- Trương Hữu Phúc (truonghuuphuc) | Patchstack Bug Bounty Program (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2026-39476 United States | 592 websites |
 Germany | 123 websites |
 France | 91 websites |
 GB | 75 websites |
 Italy | 74 websites |
 Japan | 72 websites |
 Cyprus | 53 websites |
 Brazil | 43 websites |
 Spain | 35 websites |
 South Africa | 33 websites |
Website Distribution by TLD
Number of websites using CVE-2026-39476| .com | 863 websites |
| .org | 87 websites |
| .net | 59 websites |
| .it | 45 websites |
| .com.br | 39 websites |
| .de | 36 websites |
| .co.uk | 36 websites |
| .fr | 34 websites |
| .nl | 33 websites |
| .pl | 24 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-39476
Top websites that are affected by CVE-2026-39476. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******************.com | Spain | ***,*** | |
| *****.org | United States | ***,*** | |
| *****.org | Germany | ***,*** | |
| **********.com | United States | ***,*** | |
| ********.***.do |  Dominican Republic | ***,*** | |
| *****************.com | GB | ***,*** | |
| ************.org | United States | ***,*** | |
| *************.com | Japan | ***,*** | |
| *********.org |  Canada | ***,*** | |
| *************.org | Canada | ***,*** |
FAQ
A total of 1,670 websites have been identified as vulnerable to CVE-2026-39476, based on global website indexing conducted by WebTechSurvey.
The Userfeedback Lite is affected by the CVE-2026-39476 vulnerability.
Userfeedback Lite versions up to and including 1.10.1 are vulnerable to CVE-2026-39476.