The Flow-Flow Social Feed Stream plugin for WordPress suffers from a missing authorization check vulnerability identified as CVE-2025-13866. This vulnerability exists in versions 3.0.0 through 4.7.5 and specifically affects the AJAX action named flow_flow_social_auth. Due to the lack of proper capability verification, any authenticated user with at least Subscriber-level privileges can invoke this AJAX endpoint to modify plugin settings arbitrarily. This includes the ability to store and execute arbitrary JavaScript code whenever the plugin settings page is accessed by an administrator or other users with access to that page. The vulnerability is classified under CWE-862 (Missing Authorization), highlighting that the plugin fails to verify whether the user is authorized to perform the requested action. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring low privileges but no user interaction. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low but notable, while availability is unaffected. No patches or exploits are currently publicly available, but the vulnerability poses a risk of unauthorized configuration changes and potential cross-site scripting (XSS) attacks via stored JavaScript injection.

This vulnerability allows authenticated users with minimal privileges (Subscriber or above) to escalate their impact by modifying plugin settings and injecting malicious JavaScript code. The injected scripts execute in the context of the plugin settings page, potentially enabling attackers to perform actions such as stealing cookies, session tokens, or performing actions on behalf of administrators who visit the settings page. While the vulnerability does not directly affect availability, it compromises the integrity and confidentiality of the affected WordPress site. Organizations relying on the Flow-Flow Social Feed Stream plugin risk unauthorized changes to their social feed configurations and potential broader site compromise if attackers leverage the JavaScript injection for further attacks. This can lead to reputational damage, data leakage, and increased risk of further exploitation within the WordPress environment.

To mitigate this vulnerability, organizations should immediately upgrade the Flow-Flow Social Feed Stream plugin to a version where the missing authorization check is properly implemented once available. Until a patch is released, administrators should restrict Subscriber-level user access or disable the plugin if possible. Implementing strict role-based access control (RBAC) to limit who can access the plugin settings page reduces risk. Additionally, monitoring and auditing AJAX requests to the flow_flow_social_auth endpoint can help detect unauthorized attempts. Employing a Web Application Firewall (WAF) with custom rules to block suspicious AJAX requests targeting this endpoint may provide temporary protection. Regularly reviewing user privileges and removing unnecessary Subscriber or higher accounts will also reduce the attack surface. Finally, educating administrators to avoid visiting plugin settings pages from untrusted environments can limit the impact of stored JavaScript execution.