CVE-2025-14726

MEDIUM 6.5

Widgets for Social Photo Feed <= 1.8 - Missing Authentication to Unauthenticated Plugin Settings Access/Update via trustindex_feed_hook_instagram REST API endpoints

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.

CWE	CWE-200
Vendor	trustindex
Product	widgets for social photo feed
Published	May 2, 2026

Stay Ahead of the Next One

Get instant alerts for trustindex widgets for social photo feed

Be the first to know when new medium vulnerabilities affecting trustindex widgets for social photo feed are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

trustindex / Widgets for Social Photo Feed

0 ≤ 1.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget

Credits

German