Unauthorized Data Access and Modification in Widgets for Social Photo Feed Plugin by WordPress
CVE-2025-14726

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Widgets For Social Photo Feed
Vendor: CVE Published:; 2 May 2026

What is CVE-2025-14726?

The Widgets for Social Photo Feed plugin for WordPress suffers from an improper authorization vulnerability that allows unauthorized users to access sensitive data and modify plugin settings. This issue arises from a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints. Attackers can exploit this vulnerability to perform unauthorized actions on the plugin, potentially compromising the integrity of user data and settings in all versions up to and including 1.8.

Affected Version(s)

Widgets for Social Photo Feed 0 <= 1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3513612/soci...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Dec 15, 2025

Credit

German

CVE-2025-14726 Data

JSON