CVE-2025-10750 identifies a sensitive information disclosure vulnerability in the PowerBI Embed Reports plugin for WordPress, maintained by cyberlord92. The vulnerability exists in all versions up to and including 1.2.0 and stems from the absence of proper capability checks and authentication verification on the 'testUser' endpoint. This endpoint is accessible via the mo_epbr_admin_observer() function, which is hooked into WordPress's 'init' action, allowing it to be triggered early in the request lifecycle without requiring user authentication. As a result, unauthenticated attackers can query this endpoint and retrieve sensitive Azure Active Directory (Azure AD) user information. The data exposed includes personally identifiable information (PII) such as displayName, email addresses, phone numbers, department names, and detailed OAuth error information including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs. These details can be leveraged for further attacks, including social engineering, targeted phishing, or lateral movement within an organization's network. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3, indicating a medium severity with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights a critical security oversight in access control implementation within the plugin's codebase.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive user information stored in Azure AD, which may include employees' personal identifiable information and internal organizational details. Exposure of such data can lead to privacy violations under GDPR regulations, potentially resulting in legal penalties and reputational damage. Attackers could use the disclosed information to craft sophisticated phishing campaigns or gain insights for further exploitation of corporate networks. Organizations heavily reliant on PowerBI embedded reports integrated with Azure AD and using the vulnerable WordPress plugin are particularly at risk. While the vulnerability does not allow direct system compromise or data manipulation, the confidentiality breach alone can have significant operational and compliance consequences. The lack of authentication requirements means the attack can be conducted remotely without user interaction, increasing the threat surface. However, since no known exploits are currently in the wild, the immediate risk is moderate but could escalate if weaponized.

European organizations should immediately audit their WordPress installations to identify the presence of the PowerBI Embed Reports plugin and verify the version in use. Since no official patch links are currently available, organizations should consider the following mitigations: 1) Temporarily disable or remove the PowerBI Embed Reports plugin until a secure update is released. 2) Implement web application firewall (WAF) rules to block unauthenticated access to the 'testUser' endpoint or any URLs associated with mo_epbr_admin_observer(). 3) Restrict access to the WordPress admin and plugin endpoints by IP whitelisting or VPN-only access where feasible. 4) Monitor web server logs for suspicious access patterns targeting the vulnerable endpoint. 5) Engage with the plugin vendor or community to obtain or contribute to a security patch that enforces proper authentication and capability checks on the affected endpoint. 6) Conduct internal audits of Azure AD logs to detect any anomalous queries or data access that could indicate exploitation attempts. 7) Educate IT and security teams about this vulnerability to ensure rapid response when updates become available.