CVE-2025-14726 - Vulnerability Details

Description

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.

Published: 2026-05-02

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Widgets for Social Photo Feed plugin contains a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all releases up to and including version 1.8. This flaw permits any unauthenticated user to retrieve and alter the plugin’s configuration settings. The weakness is classified as a privacy and integrity issue (CWE‑200).

Affected Systems

All WordPress sites that have installed trustindex Widgets for Social Photo Feed version 1.8 or earlier are affected, regardless of other security posture or additional hardening. The vulnerability is tied directly to the plugin’s REST endpoints and does not rely on other components of WordPress.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating moderate severity. The EPSS score is not provided, leaving the current exploitation probability uncertain, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending unauthenticated HTTP requests to the exposed REST API endpoints; no special privileges or conditions are required, and no manual configuration is needed to trigger the exploit.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

trustindex

Widgets for Social Photo Feed

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.8

No data.

Vendor Product Confidence Versions

Trustindex

Widgets For Social Photo Feed

100%

Version	Status	Scheme	Platform
`[0,1.8]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest release of Widgets for Social Photo Feed, which removes the missing capability checks.
If an immediate update cannot be performed, block or restrict access to the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' endpoints using a firewall rule, .htaccess restriction, or server configuration that requires authentication for all REST API traffic.
Configure the WordPress REST API to enforce authentication for privileged actions or limit the IP addresses that can reach WordPress endpoints, thereby reducing the attack surface for unauthenticated access.

Generated by OpenCVE AI on May 2, 2026 at 10:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget
https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve

History

Sat, 02 May 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trustindex Trustindex widgets For Social Photo Feed Wordpress Wordpress wordpress
Vendors & Products		Trustindex Trustindex widgets For Social Photo Feed Wordpress Wordpress wordpress

Sat, 02 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.
Title		Widgets for Social Photo Feed <= 1.8 - Missing Authentication to Unauthenticated Plugin Settings Access/Update via trustindex_feed_hook_instagram REST API endpoints
Weaknesses		CWE-200
References		https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Trustindex Widgets For Social Photo Feed

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-02T04:27:45.261Z

Updated: 2026-05-02T04:27:45.261Z

Reserved: 2025-12-15T15:50:52.297Z

Link: CVE-2025-14726

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-02T05:16:00.093

Modified: 2026-05-02T05:16:00.093

Link: CVE-2025-14726

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object