CVE-2025-10637
📋 TL;DR
The Social Feed Gallery WordPress plugin versions ≤4.9.2 have an authorization bypass vulnerability that allows unauthenticated attackers to access Instagram profile and media data from any account connected to the site. This affects all WordPress sites using vulnerable versions of the plugin. Attackers can exfiltrate sensitive Instagram data without any authentication.
💻 Affected Systems
- Social Feed Gallery (insta-gallery) WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers harvest all Instagram profile data, media content, and metadata from connected accounts, potentially exposing private user information, business data, or copyrighted material.
Likely Case
Attackers scrape Instagram profile information and media data for reconnaissance, data collection, or to bypass Instagram's API limitations.
If Mitigated
With proper authorization checks, only authenticated users with appropriate permissions can access Instagram data through the plugin.
🎯 Exploit Status
Exploitation requires sending HTTP requests to vulnerable REST endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.9.3 or later
Vendor Advisory: https://wordpress.org/plugins/insta-gallery/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Social Feed Gallery' plugin. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
WordPressAdd code to functions.php to disable the vulnerable REST endpoint
add_filter('rest_endpoints', function($endpoints) { if (isset($endpoints['/wp-json/insta-gallery/v1/user-profile'])) { unset($endpoints['/wp-json/insta-gallery/v1/user-profile']); } return $endpoints; });
🧯 If You Can't Patch
- Disable the Social Feed Gallery plugin immediately
- Remove Instagram account connections from the plugin settings
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Social Feed Gallery version numberCheck Version:
wp plugin list --name=insta-gallery --field=versionVerify Fix Applied:
Verify plugin version is 4.9.3 or higher, then test REST endpoint /wp-json/insta-gallery/v1/user-profile returns 401/403 for unauthenticated requests📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /wp-json/insta-gallery/v1/user-profile from unauthenticated IPs
- Unusual traffic patterns to Instagram API endpoints
Network Indicators:
- HTTP GET requests to /wp-json/insta-gallery/v1/user-profile without authentication headers
- Outbound connections to Instagram API from WordPress server
SIEM Query:
source="wordpress.log" AND uri="/wp-json/insta-gallery/v1/user-profile" AND status=200 AND NOT auth_token=*🔗 References
- https://plugins.trac.wordpress.org/browser/insta-gallery/tags/4.9.2/lib/api/rest/endpoints/frontend/class-user-profile.php#L19
- https://plugins.trac.wordpress.org/changeset/3381423/insta-gallery/trunk/lib/api/rest/endpoints/frontend/class-user-profile.php
- https://wordpress.org/plugins/insta-gallery/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ae0dd6b0-9028-456e-9843-d45754c01c53?source=cve
