{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13880", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-02T14:00:28.780Z", "datePublished": "2025-12-17T04:31:31.240Z", "dateUpdated": "2026-04-08T17:05:51.051Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:51.051Z"}, "affected": [{"vendor": "adreastrian", "product": "WP Social Ninja \u2013 Embed Social Feeds, User Reviews & Chat Widgets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings."}], "title": "WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8e3cb9-00b3-4500-adf0-c8a9fbf9d546?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Routes/api.php#L44"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Policies/SettingsPolicy.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Services/PermissionManager.php#L176"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Controllers/SettingsController.php#L144"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-11-20T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-02T14:17:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-16T16:22:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T19:28:33.984165Z", "id": "CVE-2025-13880", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T19:28:44.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T19:28:33.984165Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T19:28:37.928Z"}}], "cna": {"title": "WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "adreastrian", "product": "WP Social Ninja \u2013 Embed Social Feeds, User Reviews & Chat Widgets", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-12-02T14:17:19.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-16T16:22:36.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8e3cb9-00b3-4500-adf0-c8a9fbf9d546?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Routes/api.php#L44"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Policies/SettingsPolicy.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Services/PermissionManager.php#L176"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Controllers/SettingsController.php#L144"}], "descriptions": [{"lang": "en", "value": "The WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-17T04:31:31.240Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13880", "state": "PUBLISHED", "dateUpdated": "2025-12-17T19:28:44.847Z", "dateReserved": "2025-12-02T14:00:28.780Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-17T04:31:31.240Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings."}], "id": "CVE-2025-13880", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-17T05:16:11.180", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Controllers/SettingsController.php#L144"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Policies/SettingsPolicy.php#L14"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Routes/api.php#L44"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Services/PermissionManager.php#L176"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8e3cb9-00b3-4500-adf0-c8a9fbf9d546?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:03:33.279202+00:00", "value": {"mitigation_remediation": ["Upgrade WP Social Ninja to the latest released version that addresses the missing capability checks.", "Configure your WordPress site to deny HTTP requests to the plugin\u2019s REST API endpoints (e.g., /wp-json/wp-social-reviews/*) from unauthenticated users.", "If an immediate upgrade is not feasible, edit the plugin\u2019s SettingsController.php to insert a capability check (such as abort(403) if current_user_can('manage_options') == false) before executing getAdvanceSettings and saveAdvanceSettings."], "summary": {"action": "Patch Update", "impact": "Unauthenticated modification and disclosure of plugin settings"}, "threat_synthesis": {"affected_systems": "The affected product is WP Social Ninja \u2013 Embed Social Feeds, Customer Reviews & Chat Widgets from vendor adreastrian. All releases up to and including version 4.0.1 are vulnerable; no later versions are listed as affected.", "description_and_impact": "The vulnerability exists in WP Social Ninja versions up to 4.0.1 and is caused by a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions. This flaw allows any unauthenticated user to view and change the plugin\u2019s advanced settings, effectively granting unauthorized access to sensitive configuration data and the ability to alter its behavior. The underlying weakness is a missing authorisation control (CWE\u2011862).", "risk_and_exploitability": "The CVSS base score for this flaw is 6.5, indicating moderate severity. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog, and the attack vector is inferred to be via the plugin\u2019s REST API endpoints that handle advanced settings, which can be accessed by unauthenticated users."}}}}, "created": "2025-12-17T14:28:38.269053+00:00", "updated": "2026-04-21T17:15:25.327051+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}