WordPress Plugin Vulnerabilities

Spotlight Social Media Feeds < 1.7.2 - Unauthenticated Sensitive Information Disclosure

Description

The Spotlight Social Feeds – Block, Shortcode, and Widget plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Affects Plugins

Plugin icon
spotlight-social-photo-feeds
Fixed in 1.7.2

References

CVE
CVE-2025-26758
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc2c41b5-71ab-44f3-baf8-c9fef1dadf2d

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
42953626-4335-437e-b72c-4b5fafc64d38

Timeline

Publicly Published
2025-02-14 (about 1 year ago)
Added
2025-02-18 (about 1 year ago)
Last Updated
2025-02-18 (about 1 year ago)

Other

Published
Title
Published
2024-02-14
Title
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages < 1.7.3 - Unauthenticated Information Exposure
Published
2026-02-02
Title
Tutor LMS < 3.9.6 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action
Published
2023-11-23
Title
WordPress Job Board and Recruitment Plugin – JobWP < 2.2 - Sensitive Information Exposure
Published
2025-06-10
Title
WP-DownloadManager < 1.68.11 - Authenticated (Administrator+) Arbitrary File Read
Published
2024-10-15
Title
Sina Extension for Elementor < 3.5.8 - Authenticated (Contributor+) Sensitive Information Exposure via Sina Modal Box Widget Elementor Template