What the vulnerability does
01Description
The PowerBI Embed Reports plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.2.0. This is due to missing capability checks and authentication verification on the 'testUser' endpoint accessible via the mo_epbr_admin_observer() function hooked on 'init'. This makes it possible for unauthenticated attackers to access sensitive Azure AD user information including personal identifiable information (PII) such as displayName, mail, phones, department, or detailed OAuth error data including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs.
Explanation of Vulnerability in Simple Terms
02Summary
PowerBI Embed Reports versions 1.2.0 and earlier expose sensitive information over the network without requiring authentication. An attacker can read confidential data by sending network requests to the affected component. No user interaction or special privileges are needed. Update to a version newer than 1.2.0 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the PowerBI Embed Reports component without authentication.
Potential impact on your site
04Site Impact
Confidential data may be exposed to unauthenticated attackers over the network.
Conditions required to exploit
05Prerequisites
Network access to the affected component. No authentication or user interaction required.
Key dates
06Disclosure timeline
October 18, 2025
CVE published
April 8, 2026
Record updated