Medium severity6.5NVD Advisory· Published May 2, 2026· Updated May 5, 2026

CVE-2025-14726

Description

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.

Affected products

WordPress/Social Photo Feed Widgetinferred
Range: <=1.8
Package: https://wordpress.org/plugins/social-photo-feed-widget

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)
Wordfence Blog · May 7, 2026
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)
Wordfence Blog · Apr 9, 2026

cvss	0.423
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000