Description
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.
Published: 2025-12-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated modification and disclosure of plugin settings
Action: Patch Update
AI Analysis

Impact

The vulnerability exists in WP Social Ninja versions up to 4.0.1 and is caused by a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions. This flaw allows any unauthenticated user to view and change the plugin’s advanced settings, effectively granting unauthorized access to sensitive configuration data and the ability to alter its behavior. The underlying weakness is a missing authorisation control (CWE‑862).

Affected Systems

The affected product is WP Social Ninja – Embed Social Feeds, Customer Reviews & Chat Widgets from vendor adreastrian. All releases up to and including version 4.0.1 are vulnerable; no later versions are listed as affected.

Risk and Exploitability

The CVSS base score for this flaw is 6.5, indicating moderate severity. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog, and the attack vector is inferred to be via the plugin’s REST API endpoints that handle advanced settings, which can be accessed by unauthenticated users.

Generated by OpenCVE AI on April 21, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Social Ninja to the latest released version that addresses the missing capability checks.
  • Configure your WordPress site to deny HTTP requests to the plugin’s REST API endpoints (e.g., /wp-json/wp-social-reviews/*) from unauthenticated users.
  • If an immediate upgrade is not feasible, edit the plugin’s SettingsController.php to insert a capability check (such as abort(403) if current_user_can('manage_options') == false) before executing getAdvanceSettings and saveAdvanceSettings.

Generated by OpenCVE AI on April 21, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 17 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.
Title WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:51.051Z

Reserved: 2025-12-02T14:00:28.780Z

Link: CVE-2025-13880

cve-icon Vulnrichment

Updated: 2025-12-17T19:28:37.928Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T05:16:11.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses