Description
The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to exfiltrate Instagram profile and media data from any account the site owner connected to their site.
Published: 2025-10-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Assess Impact
AI Analysis

Impact

The Social Feed Gallery plugin for WordPress has a missing authorization check in its REST API that allows unauthenticated users to retrieve Instagram profile and media data for any Instagram account connected by the site owner. This results in a moderate-information exposure where private content can be exfiltrated without needing credentials, causing a breach of confidentiality. The weakness is identified as a missing authorization control (CWE-862).

Affected Systems

vulnerable versions of the quadlayers Social Feed Gallery plugin up to and including 4.9.2. Any WordPress site that has installed and activated the plugin and has connected an Instagram account is at risk. The plugin’s REST endpoint /user-profile is the entry point for the exploit.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS score of < 1% shows a very low probability of exploitation observed in the wild, and the vulnerability is not listed in the CISA KEV catalogue. Attackers can exploit the issue by sending unauthenticated GET requests to the plugin’s REST endpoint, which returns sensitive Instagram data. Since no authentication is enforced, the attack surface is public and requires only knowledge of the correct URL.

Generated by OpenCVE AI on April 21, 2026 at 02:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Social Feed Gallery plugin to the latest available version that includes the authorization check fix.
  • If no patch is immediately available, deactivate or uninstall the plugin until an updated release is deployed.
  • Restrict unauthenticated access to the plugin’s REST API endpoints by configuring firewall rules or using a WordPress REST API restriction plugin to block or rate‑limit GET requests to the /user-profile endpoint.

Generated by OpenCVE AI on April 21, 2026 at 02:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Quadlayers
Quadlayers wp Social Feed Gallery
Wordpress
Wordpress wordpress
Vendors & Products Quadlayers
Quadlayers wp Social Feed Gallery
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to exfiltrate Instagram profile and media data from any account the site owner connected to their site.
Title Social Feed Gallery <= 4.9.2 - Missing Authorization to Unauthenticated Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Quadlayers Wp Social Feed Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:18.459Z

Reserved: 2025-09-17T13:30:56.658Z

Link: CVE-2025-10637

cve-icon Vulnrichment

Updated: 2025-10-27T15:38:41.225Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T07:15:39.797

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:15:06Z

Weaknesses