CVE-2025-13866 is a vulnerability identified in the Flow-Flow Social Feed Stream plugin for WordPress, affecting versions 3.0.0 through 4.7.5. The root cause is a missing authorization check (CWE-862) on the AJAX action 'flow_flow_social_auth', which allows authenticated users with minimal privileges (Subscriber-level or higher) to modify plugin settings without proper capability verification. This unauthorized modification capability enables attackers to store arbitrary JavaScript code within the plugin’s settings. The malicious JavaScript executes whenever the plugin settings page is accessed, potentially allowing for cross-site scripting (XSS) attacks or other client-side exploits. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity and requiring only authenticated access. The CVSS 3.1 base score is 6.4, indicating a medium severity level with partial impacts on confidentiality and integrity but no impact on availability. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s initial privileges. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability was publicly disclosed on December 12, 2025, and assigned by Wordfence. The plugin is widely used to aggregate social media feeds on WordPress sites, making this vulnerability relevant for many organizations relying on this plugin for social media integration.

For European organizations, this vulnerability poses a risk primarily to the integrity and confidentiality of WordPress sites using the Flow-Flow Social Feed Stream plugin. Attackers with low-level authenticated access can inject malicious JavaScript, potentially leading to session hijacking, credential theft, or further exploitation of site visitors or administrators. This can damage organizational reputation, lead to data breaches, and facilitate lateral movement within the network if administrative accounts are compromised. The vulnerability does not directly impact availability but can indirectly cause service disruption if exploited for broader attacks. Organizations with multi-user WordPress environments, such as media companies, e-commerce sites, and public sector websites, are particularly vulnerable. The risk is heightened in environments where subscriber or low-privilege accounts are easily created or compromised. Given the plugin’s network exposure and the lack of user interaction required, exploitation could be automated or integrated into broader attack campaigns targeting WordPress infrastructure in Europe.

Immediate mitigation steps include restricting access to the WordPress admin area and specifically the plugin settings page to trusted users only. Implement strict role-based access controls to ensure only necessary users have access to the plugin’s configuration. Monitor and audit user accounts with Subscriber-level privileges to detect suspicious activity. Employ Web Application Firewalls (WAFs) with custom rules to block unauthorized AJAX requests targeting 'flow_flow_social_auth'. Disable or remove the Flow-Flow Social Feed Stream plugin if it is not essential until a security patch is released. Once a patch becomes available, promptly update the plugin to a secure version that includes proper authorization checks. Additionally, implement Content Security Policy (CSP) headers to mitigate the impact of injected JavaScript. Regularly review and harden WordPress security configurations, including limiting plugin installations and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) for all users with access to the admin area.