CVE-2025-10637 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Social Feed Gallery plugin for WordPress, developed by quadlayers. This plugin aggregates social media feeds, specifically Instagram, to display on WordPress sites. Versions up to and including 4.9.2 fail to properly verify whether a user is authorized to perform certain actions, specifically the retrieval of Instagram profile and media data linked to the site owner’s account. Due to this missing authorization check, an unauthenticated attacker can remotely access and exfiltrate Instagram data without needing any credentials or user interaction. The vulnerability impacts confidentiality by exposing potentially sensitive social media content, but it does not affect data integrity or availability. The attack vector is network-based with low attack complexity and no privileges required, making it relatively easy to exploit. Although no public exploits have been reported yet, the widespread use of WordPress and social media plugins increases the risk of exploitation. The vulnerability was published on October 25, 2025, with a CVSS v3.1 base score of 5.3, indicating medium severity. The lack of a patch at the time of reporting means affected sites remain vulnerable until an update or workaround is applied.

For European organizations, this vulnerability primarily threatens the confidentiality of Instagram data connected to their WordPress sites. Organizations relying on social media feeds for marketing, brand engagement, or customer interaction may inadvertently expose sensitive or proprietary content, leading to reputational damage or privacy violations under GDPR. Although the vulnerability does not allow modification or deletion of data, the unauthorized disclosure could facilitate social engineering attacks or competitive intelligence gathering. Small and medium enterprises (SMEs) using WordPress with this plugin are particularly at risk due to limited security resources. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic attacks. Additionally, organizations in regulated sectors such as finance or healthcare may face compliance risks if personal data is exposed. The impact on availability and integrity is negligible, but the breach of confidentiality alone warrants prompt remediation.

1. Monitor quadlayers’ official channels for a security patch and apply updates immediately once available. 2. Until a patch is released, disable or uninstall the Social Feed Gallery plugin to eliminate exposure. 3. Implement custom authorization checks at the web server or application firewall level to restrict access to Instagram feed endpoints. 4. Use WordPress security plugins that can detect and block unauthorized API requests targeting the plugin. 5. Conduct regular audits of connected social media accounts and monitor for unusual access patterns or data leaks. 6. Educate site administrators on the risks of third-party plugins and enforce strict plugin vetting policies. 7. Employ network-level controls such as IP whitelisting or rate limiting to reduce attack surface. 8. Review and update privacy policies to reflect potential data exposure risks and ensure GDPR compliance. 9. Backup website data regularly to facilitate recovery if further vulnerabilities are discovered.