Vulnerability Description
The PowerBI Embed Reports plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.2.0. This is due to missing capability checks and authentication verification on the 'testUser' endpoint accessible via the mo_epbr_admin_observer() function hooked on 'init'. This makes it possible for unauthenticated attackers to access sensitive Azure AD user information including personal identifiable information (PII) such as displayName, mail, phones, department, or detailed OAuth error data including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/Obs
- https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/Obs
- https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/emb
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d830c2eb-16e8-425c-ac4
FAQ
What is CVE-2025-10750?
CVE-2025-10750 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The PowerBI Embed Reports plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.2.0. This is due to missing capability checks and authenticatio...
How severe is CVE-2025-10750?
CVE-2025-10750 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-10750?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.