CVE-2025-10750 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the PowerBI Embed Reports plugin for WordPress, developed by cyberlord92. This plugin enables embedding PowerBI reports within WordPress sites, leveraging Azure Active Directory (Azure AD) for authentication and data access. The vulnerability exists in all versions up to and including 1.2.0 due to the absence of proper capability checks and authentication verification on the 'testUser' endpoint. This endpoint is accessible via the mo_epbr_admin_observer() function, which is hooked into WordPress's 'init' action, making it reachable without any authentication or user interaction. An unauthenticated attacker can invoke this endpoint remotely to retrieve sensitive Azure AD user information, including personally identifiable information (PII) such as displayName, mail, phone numbers, and department. Additionally, detailed OAuth error information is exposed, including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs. These details could aid attackers in reconnaissance, social engineering, or further attacks targeting Azure AD or the affected organization's infrastructure. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the vulnerability's ease of exploitation (no authentication required) but limited impact on confidentiality (only information disclosure, no integrity or availability impact). No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights a critical security oversight in the plugin's access control mechanisms, emphasizing the need for proper authentication and capability checks on sensitive endpoints.

For European organizations, this vulnerability poses a significant privacy and security risk, especially for those using WordPress sites integrated with PowerBI and Azure AD. The unauthorized disclosure of PII such as names, emails, phone numbers, and departmental information can lead to privacy violations under GDPR and other data protection regulations, potentially resulting in legal and financial penalties. Exposure of OAuth error data and Azure AD Application/Client IDs can facilitate targeted attacks, including phishing, credential stuffing, or lateral movement within corporate networks. While the vulnerability does not allow direct modification or disruption of services, the information leakage can be leveraged for further exploitation. Organizations in sectors with high regulatory scrutiny or handling sensitive data—such as finance, healthcare, government, and critical infrastructure—are particularly at risk. The ease of exploitation without authentication increases the threat level, as attackers can scan for vulnerable endpoints and harvest data at scale. This could also damage organizational reputation and trust if customer or employee data is exposed. Given the widespread use of WordPress and PowerBI in Europe, the potential attack surface is considerable.

European organizations should immediately audit their WordPress installations to identify the presence of the PowerBI Embed Reports plugin and verify the version in use. Since no official patch is currently available, temporary mitigations include disabling or removing the plugin until a secure update is released. If the plugin is essential, restrict access to the WordPress admin area and the affected endpoints using web application firewalls (WAFs) or IP whitelisting to prevent unauthenticated access. Implement strict network segmentation and monitoring to detect unusual access patterns to the 'testUser' endpoint. Review and harden Azure AD application permissions and logging to detect suspicious activities related to OAuth tokens and client IDs. Engage with the plugin vendor or community to obtain updates or patches and apply them promptly once available. Additionally, conduct regular security assessments and penetration tests focusing on WordPress plugins and integrations. Educate administrators about the risks of exposing sensitive endpoints without authentication and enforce secure coding practices for custom plugins or modifications.