CVE-2025-10637 identifies a missing authorization vulnerability (CWE-862) in the Social Feed Gallery plugin for WordPress, developed by quadlayers. This plugin aggregates Instagram feeds on WordPress sites. Versions up to and including 4.9.2 fail to properly verify whether a user is authorized to perform certain actions, specifically those that retrieve Instagram profile and media data connected by the site owner. Because the authorization check is missing, unauthenticated attackers can remotely access and exfiltrate Instagram content without any credentials or user interaction. The vulnerability affects all versions of the plugin prior to the fix. The CVSS 3.1 base score is 5.3, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts confidentiality only (C:L), with no impact on integrity or availability. No public exploits are known at this time, but the exposure of Instagram data can lead to privacy violations and potential reputational damage for site owners. The vulnerability is particularly relevant for websites that use this plugin to display social media content, especially those integrating multiple Instagram accounts or sensitive profiles. The lack of patch links indicates a fix may be pending or not yet publicly released.

The primary impact of this vulnerability is the unauthorized disclosure of Instagram profile and media data linked to the vulnerable WordPress site. This can lead to privacy breaches for the site owner and potentially their followers or customers if sensitive or proprietary content is exposed. Organizations relying on this plugin for social media marketing or customer engagement risk reputational damage and loss of trust if attackers exploit this flaw. While the vulnerability does not affect data integrity or availability, the confidentiality breach could facilitate further social engineering or targeted attacks. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of opportunistic scanning and data theft. Organizations with high social media presence or those in regulated industries may face compliance issues if personal data is exposed. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially once exploit code becomes available.

Organizations should immediately identify if they are using the Social Feed Gallery plugin version 4.9.2 or earlier. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. If removal is not feasible, restrict access to the plugin’s functionality by implementing web application firewall (WAF) rules that block unauthenticated requests targeting the plugin endpoints. Monitoring web server logs for unusual access patterns related to Instagram feed retrieval can help detect exploitation attempts. Site owners should also review and limit the Instagram accounts connected to the plugin, avoiding linking sensitive or private profiles. Once a patch or update is available from quadlayers, it should be applied promptly. Additionally, consider isolating WordPress administrative interfaces behind VPNs or IP allowlists to reduce exposure. Regularly audit WordPress plugins for security updates and vulnerabilities to prevent similar issues.