WordPress Plugin Vulnerabilities

WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) < 4.0.2 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification

Description

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.

Affects Plugins

Plugin icon
wp-social-reviews
Fixed in 4.0.2

References

CVE
CVE-2025-13880
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8e3cb9-00b3-4500-adf0-c8a9fbf9d546

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
15144a00-e3aa-409b-b402-d38d81412dbe

Timeline

Publicly Published
2025-12-16 (about 6 months ago)
Added
2025-12-16 (about 6 months ago)
Last Updated
2025-12-17 (about 6 months ago)

Other

Published
Title
Published
2025-03-27
Title
RomethemeKit For Elementor < 1.5.5 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Published
2025-01-30
Title
Safe Ai Malware Protection for WP < 1.0.18 - Missing Authorization to Unauthenticated Database Export
Published
2023-11-06
Title
ImageMapper <= 1.2.6 - Subscriber+ Arbitrary Post Deletion
Published
2022-04-11
Title
Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update
Published
2026-05-29
Title
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace < 2.11.11 - Missing Authorization