CVE-2025-10750: 
WordPress vulnerability analysis and mitigation

The PowerBI Embed Reports plugin for WordPress contains a sensitive information disclosure vulnerability (CVE-2025-10750) affecting all versions up to and including 1.2.0. The vulnerability was discovered on October 17, 2025 and publicly disclosed on October 18, 2025. The issue exists in the 'testUser' endpoint accessible via the moepbradmin_observer() function that is hooked on 'init' (NVD).

The vulnerability stems from missing capability checks and authentication verification on the 'testUser' endpoint. The affected code is located in the adminObserver.php file where the moepbradmin_observer() function fails to properly validate user permissions before exposing sensitive information. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating it is network accessible, requires low complexity to exploit, and needs no privileges or user interaction (Wordfence).

When exploited, the vulnerability allows unauthenticated attackers to access sensitive Azure AD user information including personal identifiable information (PII) such as displayName, mail, phones, department, as well as detailed OAuth error data including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs (NVD).

The vulnerability has been patched in version 1.2.1 of the PowerBI Embed Reports plugin. Users are advised to update to this version immediately. The fix includes implementing proper capability checks and authentication verification on the affected endpoint (NVD).