CVE-2025-14726
Widgets for Social Photo Feed Plugin Unauthenticated Data Access
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trustindex | widgets_for_social_photo_feed | to 1.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to specific REST API endpoints of the Widgets for Social Photo Feed plugin for WordPress. Detection can focus on monitoring access to the following endpoints: '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data'.
You can detect attempts to exploit this vulnerability by checking your web server logs for HTTP requests to these endpoints, especially those coming from unauthenticated sources.
Example commands to search for such requests in Apache or Nginx logs might include:
- grep "/trustindex_feed_hook_instagram/troubleshooting" /var/log/apache2/access.log
- grep "/trustindex_feed_hook_instagram/submit-data" /var/log/apache2/access.log
- grep "/trustindex_feed_hook_instagram/troubleshooting" /var/log/nginx/access.log
- grep "/trustindex_feed_hook_instagram/submit-data" /var/log/nginx/access.log
Additionally, monitoring for unexpected POST requests to these endpoints can help identify attempts to modify plugin settings.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Widgets for Social Photo Feed plugin to a version later than 1.8 where the missing capability check has been fixed.
If an update is not immediately available, consider temporarily disabling the plugin or restricting access to the vulnerable REST API endpoints using web server rules or firewall policies.
Implement access controls to ensure that only authenticated and authorized users can access the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' endpoints.
Monitor your logs for suspicious activity targeting these endpoints and respond accordingly.
Can you explain this vulnerability to me?
The Widgets for Social Photo Feed plugin for WordPress has a vulnerability due to missing capability checks on two REST API endpoints: '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data'.
This flaw allows unauthenticated attackers to access and modify plugin settings without proper authorization.
How can this vulnerability impact me? :
Because unauthenticated attackers can access and update plugin settings, this vulnerability can lead to unauthorized changes in the plugin's behavior.
Such unauthorized modifications could potentially disrupt website functionality or expose sensitive configuration data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access and modify plugin settings due to missing capability checks on certain REST API endpoints.
This unauthorized access and modification of data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data and system configurations.
However, the provided information does not specify the exact nature of the data affected or the direct impact on compliance frameworks.