The WordPress WP Social Ninja plugin suffers from a missing authorization flaw that can allow users with improper privileges to execute actions they should not be able to perform, such as manipulating social review data or other sensitive plugin features. This vulnerability is categorized as CWE-862, which describes an unauthorized access weakness caused by a lack of proper Access Control. The primary consequence is that an attacker can gain unauthorized access to functions, potentially altering data or disrupting normal plugin operations, thereby compromising the integrity of the website's social review components.

The affected product is the WordPress WP Social Ninja plugin developed by Mahmudul Hasan Arif. Versions from the earliest available release up through 3.20.1 are vulnerable. Users running these versions on their WordPress installations are at risk.

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests the probability of exploitation is low at present, and the issue is not listed in the CISA KEV catalog. The likely attack vector is through a WordPress site that has this plugin installed; an attacker might exploit the missing authorization by sending specially crafted requests to the plugin’s endpoints. Based on the description, it is inferred that an unauthenticated or low-privilege user could abuse the plugin’s functions to gain elevated privileges or manipulate data.