What the vulnerability does
01Description
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.
Explanation of Vulnerability in Simple Terms
02Summary
Widgets for Social Photo Feed versions 1.8 and earlier expose sensitive information and allow unauthorized modification of data. An attacker can access the site over the network without authentication to read private data and alter content. Update to a version newer than 1.8 to resolve this vulnerability.
What an attacker can do
03Attacker Capabilities
Read private data and modify site content without authentication.
Potential impact on your site
04Site Impact
Visitor data may be exposed and site content could be altered by unauthorized users.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 2, 2026
CVE published
May 4, 2026
Record updated