EUVD-2025-209610Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.
AnalysisAI
Unauthenticated attackers can access and modify plugin settings in the Widgets for Social Photo Feed WordPress plugin through missing capability checks on two REST API endpoints, allowing unauthorized data access and configuration changes in all versions up to and including 1.8. The vulnerability requires only network access with no user interaction, making it trivially exploitable by remote attackers without authentication credentials.
Technical ContextAI
The vulnerability stems from inadequate authorization controls on REST API endpoints registered by the WordPress plugin. Two specific endpoints-'/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data'-fail to implement WordPress capability checks (typically checking for 'manage_options' or similar administrative permissions) before processing requests. WordPress REST API endpoints should validate user roles and capabilities before exposing sensitive operations; this plugin implements the endpoints but omits the authorization layer. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) describes the class of failure where the application exposes functionality without proper access control, allowing unauthenticated principals to interact with protected resources.
RemediationAI
Upgrade to a patched version released after version 1.8. According to the Wordfence advisory and WordPress plugin repository changeset 3513612, a fix addressing the missing capability checks has been committed. Site administrators should update the Widgets for Social Photo Feed plugin to the latest available version through the WordPress admin panel (Plugins > Installed Plugins > Update). If an immediate patch is unavailable, temporarily disable the plugin and remove it from active use until a fixed version is released. For environments where the plugin must remain active, implement WordPress REST API restrictions at the web server or firewall level to block external access to the '/trustindex_feed_hook_instagram/' endpoint prefix, though this may affect legitimate functionality and should only be used as a temporary bridge until patching is complete.
More from same product – last 7 days
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un
Share
External POC / Exploit Code
Leaving vuln.today