CVE-2025-13880: CWE-862 Missing Authorization in adreastrian WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.
AI Analysis
Technical Summary
CVE-2025-13880 describes a missing authorization vulnerability (CWE-862) in the WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets WordPress plugin by adreastrian. The issue affects all versions up to and including 4.0.1 and involves the absence of capability checks on the getAdvanceSettings and saveAdvanceSettings functions. This allows unauthenticated attackers to access and modify advanced plugin settings remotely. The CVSS 3.1 base score is 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality and integrity impact without availability impact. No patch or official fix is currently documented.
Potential Impact
An attacker without authentication can view and alter advanced settings of the WP Social Ninja plugin, potentially leading to unauthorized configuration changes. This could affect the integrity and confidentiality of the plugin's operation and data it manages. There is no indication of direct availability impact. No known exploits have been reported so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the WordPress admin interface and consider disabling or removing the plugin if advanced settings exposure poses a risk. Monitor for vendor updates regarding patches or official mitigations.
CVE-2025-13880: CWE-862 Missing Authorization in adreastrian WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets
Description
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13880 describes a missing authorization vulnerability (CWE-862) in the WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets WordPress plugin by adreastrian. The issue affects all versions up to and including 4.0.1 and involves the absence of capability checks on the getAdvanceSettings and saveAdvanceSettings functions. This allows unauthenticated attackers to access and modify advanced plugin settings remotely. The CVSS 3.1 base score is 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality and integrity impact without availability impact. No patch or official fix is currently documented.
Potential Impact
An attacker without authentication can view and alter advanced settings of the WP Social Ninja plugin, potentially leading to unauthorized configuration changes. This could affect the integrity and confidentiality of the plugin's operation and data it manages. There is no indication of direct availability impact. No known exploits have been reported so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the WordPress admin interface and consider disabling or removing the plugin if advanced settings exposure poses a risk. Monitor for vendor updates regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-02T14:00:28.780Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69423560364d4dab9cc00c44
Added to database: 12/17/2025, 4:45:20 AM
Last enriched: 4/9/2026, 4:38:09 PM
Last updated: 5/7/2026, 11:33:50 AM
Views: 170
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.