CVE-2025-10750 MEDIUM

CVE-2025-10750: PowerBI Embed Reports <= 1.2.0 - Unauthenticated Sensitive Information Disclosure

Vendor Cyberlord92
Product PowerBI Embed Reports
Weakness CWE-200 · Info exposure
Published October 18, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The PowerBI Embed Reports plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.2.0. This is due to missing capability checks and authentication verification on the 'testUser' endpoint accessible via the mo_epbr_admin_observer() function hooked on 'init'. This makes it possible for unauthenticated attackers to access sensitive Azure AD user information including personal identifiable information (PII) such as displayName, mail, phones, department, or detailed OAuth error data including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs.

Explanation of Vulnerability in Simple Terms

02Summary

PowerBI Embed Reports versions 1.2.0 and earlier expose sensitive information over the network without requiring authentication. An attacker can read confidential data by sending network requests to the affected component. No user interaction or special privileges are needed. Update to a version newer than 1.2.0 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the PowerBI Embed Reports component without authentication.

Potential impact on your site

04Site Impact

Confidential data may be exposed to unauthenticated attackers over the network.

Conditions required to exploit

05Prerequisites

Network access to the affected component. No authentication or user interaction required.

Key dates

06Disclosure timeline

October 18, 2025 CVE published
April 8, 2026 Record updated