Description
Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widgets for Social Photo Feed: from n/a through <= 1.8.
Published: 2025-12-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits users to manipulate the plugin’s configuration and access its social photo feed data without proper privileges. This flaw is exposed through the plugin’s administrative interfaces, allowing an attacker who can reach these pages to change settings, view content, or execute privileged actions that normally require higher-level roles. The weakness is identified as CWE‑862, indicating an authorization bypass.

Affected Systems

The affected product is the Trustindex Widgets for Social Photo Feed WordPress plugin, version 1.8 or earlier. All installations of this plugin under that version range are susceptible.

Risk and Exploitability

With a CVSS score of 5.3 the flaw is considered moderate; the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description it is inferred that the attack vector is through web‑accessible plugin endpoints, likely requiring access to the WordPress dashboard or the plugin’s public URLs. No additional conditions such as local user privileges are stated, so the flaw may be exploitable by any user who can interact with the plugin’s interfaces.

Generated by OpenCVE AI on April 29, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Trustindex Widgets for Social Photo Feed plugin to version 1.9 or later, where the access control fix has been applied.
  • Review and restrict user roles so that only administrators or designated editors can access the plugin’s configuration pages.
  • If an update is not immediately possible, consider removing or disabling the plugin until a patch is applied, and monitor for any unauthorized access attempts.

Generated by OpenCVE AI on April 29, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widgets for Social Photo Feed: from n/a through <= 1.7.7. Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widgets for Social Photo Feed: from n/a through <= 1.8.
Title WordPress Widgets for Social Photo Feed plugin <= 1.7.7 - Broken Access Control vulnerability WordPress Widgets for Social Photo Feed plugin <= 1.8 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Trustindex
Trustindex widgets For Social Photo Feed
Wordpress
Wordpress wordpress
Vendors & Products Trustindex
Trustindex widgets For Social Photo Feed
Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widgets for Social Photo Feed: from n/a through <= 1.7.7.
Title WordPress Widgets for Social Photo Feed plugin <= 1.7.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Trustindex Widgets For Social Photo Feed
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:31.316Z

Reserved: 2025-12-19T10:20:05.495Z

Link: CVE-2025-68595

cve-icon Vulnrichment

Updated: 2025-12-24T18:46:02.897Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:26.940

Modified: 2026-04-27T19:16:35.150

Link: CVE-2025-68595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:30:17Z

Weaknesses