The vulnerability CVE-2025-10750 affects the PowerBI Embed Reports plugin for WordPress developed by cyberlord92, specifically all versions up to and including 1.2.0. The root cause is the absence of proper capability checks and authentication verification on the 'testUser' endpoint, which is accessible through the mo_epbr_admin_observer() function hooked into WordPress's 'init' action. This endpoint can be reached by unauthenticated attackers, allowing them to retrieve sensitive Azure Active Directory (Azure AD) user information. The exposed data includes personally identifiable information (PII) such as displayName, email addresses, phone numbers, department details, and detailed OAuth error information like Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, no privileges required, no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild, and no patches have been linked yet. The vulnerability's exploitation could facilitate reconnaissance and targeted attacks by leaking sensitive identity and configuration data from Azure AD integrations within WordPress environments using this plugin.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information and OAuth error details. Exposure of PII such as names, emails, phone numbers, and department information can lead to privacy violations and may aid attackers in social engineering, phishing, or identity theft campaigns. Disclosure of OAuth error data including Application/Client IDs and trace identifiers can provide attackers with intelligence about the Azure AD environment and application configurations, potentially facilitating further targeted attacks or privilege escalation attempts. While the vulnerability does not directly affect data integrity or availability, the confidentiality breach can undermine organizational security posture and compliance with data protection regulations such as GDPR. Organizations using the affected plugin in environments with sensitive Azure AD integrations are at risk of information leakage to unauthenticated external actors.

To mitigate this vulnerability, organizations should immediately update the PowerBI Embed Reports plugin once a patched version is released by the vendor. Until a patch is available, administrators should consider disabling or restricting access to the 'testUser' endpoint by implementing custom access controls or firewall rules to block unauthenticated requests to this endpoint. Reviewing and hardening WordPress plugin permissions and capability checks is critical to prevent unauthorized access. Additionally, organizations should audit their Azure AD logs for unusual access patterns and monitor for any suspicious activity related to exposed Application/Client IDs or OAuth errors. Employing Web Application Firewalls (WAFs) with rules to detect and block attempts to access the vulnerable endpoint can provide interim protection. Finally, educating users and administrators about the risks of information disclosure and enforcing least privilege principles for WordPress plugin usage will reduce exposure.