CVE-2025-10750

Name of the Vulnerable Software and Affected Versions PowerBI Embed Reports plugin for WordPress versions prior to 1.2.1

Description The PowerBI Embed Reports plugin for WordPress is susceptible to unauthorized disclosure of sensitive information. This is a result of inadequate capability checks and authentication verification on the testUser API endpoint. Attackers do not need to be authenticated to access sensitive Azure AD user information, including personally identifiable information (PII) such as displayName, mail, phones, and department. Additionally, detailed OAuth error data, including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs, can be accessed. The issue is related to the mo epbr admin observer() function hooked on the 'init' action.

Recommendations Update the PowerBI Embed Reports plugin to version 1.2.1 or later.