CVE-2025-13880

EUVD-2025-203870

17.12.2025, 05:16

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Wordfence	CNA	6.5 MEDIUM				CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Controllers/SettingsController.php#L144

https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Policies/SettingsPolicy.php#L14

https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Routes/api.php#L44

https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Services/PermissionManager.php#L176

https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8e3cb9-00b3-4500-adf0-c8a9fbf9d546?source=cve