CVE-2025-14726
published 2026-05-02CVE-2025-14726: The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check…
PriorityP348medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EXPLOIT
EPSS
0.83%
52.9th percentile
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trustindex | widgets_for_social_photo_feed | <= 1.8 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
trustindex Widgets for Social Photo Feed Plugin up to 1.8 on WordPress troubleshooting improper authorization
vuldb·2026-05-02·CVSS 6.5
CVE-2025-14726 [MEDIUM] trustindex Widgets for Social Photo Feed Plugin up to 1.8 on WordPress troubleshooting improper authorization
A vulnerability was found in trustindex Widgets for Social Photo Feed Plugin up to 1.8 on WordPress. It has been classified as critical. Affected is an unknown function of the file /trustindex_feed_hook_instagram/troubleshooting. This manipulation causes improper authorization.
The identification of this vulnerability is CVE-2025-14726. It is possible to initiate the attack remotely. There is no exploit available.
GHSA
GHSA-v9g8-4j77-xxgv: The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capabili
ghsa_unreviewed·2026-05-02
CVE-2025-14726 [MEDIUM] CWE-200 GHSA-v9g8-4j77-xxgv: The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capabili
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.
No detection rules found.
Nuclei
WordPress Widgets for Social Photo Feed <= 1.8 - Information Disclosure
nuclei·CVSS 6.5
CVE-2025-14726 [MEDIUM] WordPress Widgets for Social Photo Feed <= 1.8 - Information Disclosure
WordPress Widgets for Social Photo Feed <= 1.8 - Information Disclosure
Widgets for Social Photo Feed WordPress plugin <= 1.8 contains a broken access control caused by missing capability checks on specific REST API endpoints, letting unauthenticated attackers access and modify plugin settings remotely.
Template:
id: CVE-2025-14726
info:
name: WordPress Widgets for Social Photo Feed <= 1.8 - Information Disclosure
author: 0x_Akoko
severity: medium
description: |
Widgets for Social Photo Feed WordPress plugin <= 1.8 contains a broken access control caused by missing capability checks on specific REST API endpoints, letting unauthenticated attackers access and modify plugin settings remotely.
impact: |
Unauthenticated attackers can access and modify plugin settings, potentially compromis
No writeups or analysis indexed.
2026-05-02
Published