CVE-2025-10637
Description
The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to exfiltrate Instagram profile and media data from any account the site owner connected to their site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can exfiltrate Instagram profile and media data from any connected account through the Social Feed Gallery plugin for WordPress versions ≤ 4.9.2.
Vulnerability
Overview The Social Feed Gallery plugin for WordPress, versions 4.9.2 and earlier, contains an information exposure vulnerability due to insufficient authorization checks. The plugin fails to properly verify that a user is authorized to perform certain actions, allowing unauthenticated attackers to access sensitive data [1].
Exploitation
Conditions An unauthenticated attacker can exploit this by sending crafted requests to the plugin's endpoints that should require authentication. No special privileges or prior access to the WordPress installation is needed, as the issue stems from missing permission checks on actions that expose private data connected to the site [1].
Impact
Successful exploitation enables the attacker to exfiltrate Instagram profile information and media data from any account that the site owner connected to their website. This includes potentially private photos and metadata that the site owner intended to display only to their audience, leading to unauthorized disclosure of content [1].
Mitigation
The vendor has not yet released a patched version beyond 4.9.2 as of this writing. Users are advised to monitor the plugin's update channel or consider disabling the plugin until a security update is available. The issue is documented and publicly known [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.9.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/insta-gallery/tags/4.9.2/lib/api/rest/endpoints/frontend/class-user-profile.phpnvd
- plugins.trac.wordpress.org/changeset/3381423/insta-gallery/trunk/lib/api/rest/endpoints/frontend/class-user-profile.phpnvd
- wordpress.org/plugins/insta-gallery/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/ae0dd6b0-9028-456e-9843-d45754c01c53nvd
News mentions
0No linked articles in our index yet.