What the vulnerability does
01Description
The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to exfiltrate Instagram profile and media data from any account the site owner connected to their site.
Explanation of Vulnerability in Simple Terms
02Summary
Social Feed Gallery through version 4.9.2 fails to properly check user permissions before allowing access to certain data. An unauthenticated attacker can read sensitive information without needing to log in or interact with the site. The vulnerability affects all versions from release through 4.9.2.
What an attacker can do
03Attacker Capabilities
Read sensitive data without authentication or user interaction.
Potential impact on your site
04Site Impact
Unauthorized visitors can access data that should be restricted, potentially exposing private information.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user action required.
Key dates
06Disclosure timeline
October 25, 2025
CVE published
April 8, 2026
Record updated