CVE-2025-10750
📋 TL;DR
The PowerBI Embed Reports WordPress plugin up to version 1.2.0 contains an unauthenticated information disclosure vulnerability. Attackers can access sensitive Azure AD user information including PII and OAuth error data without authentication. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- PowerBI Embed Reports WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of Azure AD user directory information including personal identifiable information, potentially leading to identity theft, targeted phishing, or credential harvesting attacks.
Likely Case
Unauthenticated attackers harvesting PII and Azure AD configuration data for reconnaissance or social engineering attacks.
If Mitigated
Limited exposure if plugin is disabled or network access is restricted, though vulnerability remains present.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint without authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.2.0
Restart Required: No
Instructions:
1. Update PowerBI Embed Reports plugin to latest version via WordPress admin panel. 2. Verify plugin version is greater than 1.2.0. 3. No server restart required.
🔧 Temporary Workarounds
Disable vulnerable endpoint via .htaccess
ApacheBlock access to the vulnerable testUser endpoint using web server configuration
# Add to .htaccess file
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*/wp-content/plugins/embed-power-bi-reports/.*testUser.*$
RewriteRule ^ - [F,L]
Disable plugin temporarily
WordPress CLIDeactivate the PowerBI Embed Reports plugin until patched
wp plugin deactivate embed-power-bi-reports
🧯 If You Can't Patch
- Disable the PowerBI Embed Reports plugin immediately
- Implement network-level restrictions to block external access to WordPress admin endpoints
🔍 How to Verify
Check if Vulnerable:
Check if plugin version is 1.2.0 or lower in WordPress admin panel under Plugins sectionCheck Version:
wp plugin get embed-power-bi-reports --field=versionVerify Fix Applied:
Verify plugin version is greater than 1.2.0 and test endpoint returns proper authentication error📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/embed-power-bi-reports/*testUser* from unauthenticated users
- Multiple 200 responses to testUser endpoint
Network Indicators:
- Unusual traffic patterns to plugin-specific endpoints from external IPs
- GET requests containing 'testUser' parameter
SIEM Query:
source="web_access_logs" AND uri="*testUser*" AND response_code=200 AND user_agent NOT IN ("WordPress/*")🔗 References
- https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/Observer/adminObserver.php#L265
- https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/Observer/adminObserver.php#L54
- https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/embed-microsoft-power-bi-reports.php#L75
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3369956%40embed-power-bi-reports&new=3369956%40embed-power-bi-reports&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d830c2eb-16e8-425c-ac46-a467a2fd0133?source=cve
