{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13007", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-11T14:37:22.474Z", "datePublished": "2025-12-02T06:40:24.247Z", "dateUpdated": "2026-04-08T16:37:14.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:14.689Z"}, "affected": [{"vendor": "adreastrian", "product": "WP Social Ninja \u2013 Embed Social Feeds, User Reviews & Chat Widgets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.20.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page."}], "title": "WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 3.20.3 - Unauthenticated Stored Cross-Site Scripting via External Content Import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16c9ed4a-9e9f-4f10-b3fd-7f0db2c86112?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Platforms/Reviews/GoogleMyBusiness.php#L308"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Views/public/reviews-templates/elements/review-content.php#L7"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Helper.php#L19"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397264%40wp-social-reviews%2Ftrunk&old=3392979%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3400414%40wp-social-reviews%2Ftrunk&old=3397264%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "timeline": [{"time": "2025-11-11T14:52:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-01T17:36:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-02T14:16:25.035165Z", "id": "CVE-2025-13007", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T14:16:32.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13007", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-02T14:16:25.035165Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T14:16:29.348Z"}}], "cna": {"title": "WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 3.20.3 - Unauthenticated Stored Cross-Site Scripting via External Content Import", "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "adreastrian", "product": "WP Social Ninja \u2013 Embed Social Feeds, User Reviews & Chat Widgets", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.20.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-11T14:52:33.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-01T17:36:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16c9ed4a-9e9f-4f10-b3fd-7f0db2c86112?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Platforms/Reviews/GoogleMyBusiness.php#L308"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Views/public/reviews-templates/elements/review-content.php#L7"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Helper.php#L19"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397264%40wp-social-reviews%2Ftrunk&old=3392979%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3400414%40wp-social-reviews%2Ftrunk&old=3397264%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:14.689Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13007", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:14.689Z", "dateReserved": "2025-11-11T14:37:22.474Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-02T06:40:24.247Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page."}], "id": "CVE-2025-13007", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-02T07:15:48.217", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Helper.php#L19"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Platforms/Reviews/GoogleMyBusiness.php#L308"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Views/public/reviews-templates/elements/review-content.php#L7"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397264%40wp-social-reviews%2Ftrunk&old=3392979%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3400414%40wp-social-reviews%2Ftrunk&old=3397264%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16c9ed4a-9e9f-4f10-b3fd-7f0db2c86112?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:59:57.122827+00:00", "value": {"mitigation_remediation": ["Upgrade WP Social Ninja to the latest patch version (3.20.4 or newer) where input sanitization is fixed.", "If an update cannot be applied immediately, consider disabling or uninstalling the plugin to remove the attack surface until a fix is installed.", "Monitor external content sources for suspicious or unauthorized submissions; remove or quarantine any reviews that contain unexpected HTML before they are rendered.", "Implement a strong Content Security Policy that blocks inline scripts on review pages and enable browser XSS protection."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WP Social Ninja plugin by adreastrian, versions up to and including 3.20.3. The flaw affects the review content rendering pathways that display externally sourced data.", "description_and_impact": "The WP Social Ninja plugin, a WordPress add\u2011on that aggregates content such as Google Reviews and YouTube feeds, contains a stored XSS flaw that lets an unauthenticated user inject arbitrary JavaScript into pages that render imported external content. This vulnerability arises from insufficient sanitization and escaping of content retrieved from external services. An attacker who can post to a connected Google Business Profile or Facebook page could embed JavaScript that will execute whenever a site visitor loads the affected review page. While the vulnerability does not explicitly mention session hijacking or data exfiltration, such outcomes are a typical consequence of XSS and are thus inferred based on the behavior of client\u2011side code execution.", "risk_and_exploitability": "The CVSS score of 6.1 classifies the issue as moderate severity, while an EPSS score of less than 1% indicates low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, reflecting a limited known exploitation footprint. The attack requires the ability to post content to an external business profile; once compromised, the injected script executes in the browsers of any visitor who views the compromised review page, giving the attacker client\u2011side code execution."}}}}, "created": "2025-12-03T12:10:10.632608+00:00", "updated": "2026-04-22T21:00:06.379430+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}