CVE-2025-13880

WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification

mediumMissing Authorization
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
4.0.2
Patched in
1d
Time to patch

Description

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.1
PublishedDecember 16, 2025
Last updatedDecember 17, 2025
Affected pluginwp-social-reviews

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2025-13880 - WP Social Ninja Missing Authorization This plan outlines the steps to verify and exploit the missing authorization vulnerability in WP Social Ninja (versions <= 4.0.1) which allows unauthenticated disclosure and modification of advanced plugin settings. ## 1. Vuln…

Show full research plan

Research Plan: CVE-2025-13880 - WP Social Ninja Missing Authorization

This plan outlines the steps to verify and exploit the missing authorization vulnerability in WP Social Ninja (versions <= 4.0.1) which allows unauthenticated disclosure and modification of advanced plugin settings.

1. Vulnerability Summary

  • Vulnerability: Missing Authorization (Capability Check).
  • Affected Functions: getAdvanceSettings and saveAdvanceSettings.
  • Nature of Flaw: The plugin registers AJAX or REST API endpoints for managing advanced settings but fails to verify that the requesting user has administrative privileges (e.g., manage_options).
  • Impact: An unauthenticated attacker can read sensitive configuration data and modify advanced settings, potentially leading to cross-site scripting (XSS) if the settings allow custom scripts/CSS, or breaking plugin functionality.

2. Attack Vector Analysis

  • Endpoints: Likely wp-admin/admin-ajax.php or a REST API route under wp-json/wp-social-ninja/v1/.
  • AJAX Actions (Inferred):
    • wpsn_get_advanced_settings (or similar)
    • wpsn_save_advanced_settings (or similar)
  • Parameters:
    • action: The AJAX action string.
    • nonce: A WordPress nonce for CSRF protection.
    • settings: A JSON object or array containing the settings to be saved.
  • Authentication: Unauthenticated (Access is available via wp_ajax_nopriv_* hooks or REST routes with __return_true permission callbacks).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers hooks during init or admin_init.
  2. Registration:
    // Likely pattern in affected versions
    add_action('wp_ajax_wpsn_get_advanced_settings', [$this, 'getAdvanceSettings']);
    add_action('wp_ajax_nopriv_wpsn_get_advanced_settings', [$this, 'getAdvanceSettings']);
    
  3. Execution: The getAdvanceSettings function is called. It fetches settings using get_option('wpsn_advanced_settings') (inferred) and returns them via wp_send_json_success().
  4. Vulnerability: The function lacks a current_user_can('manage_options') check, and the nopriv hook makes it accessible to visitors.

4. Nonce Acquisition Strategy

WP Social Ninja typically localizes data for its React/Vue admin dashboard. We need to find where the nonce is exposed for unauthenticated users.

  1. Identify Script Localization: The plugin likely uses wp_localize_script.
  2. Setup:
    • Create a page containing a Social Ninja feed to ensure the plugin's scripts are loaded.
    • wp post create --post_type=page --post_status=publish --post_title="Social Feed" --post_content='[wp_social_ninja id="ANY_ID"]' (Note: You may need to create a dummy feed first via CLI or find an existing shortcode).
  3. Extraction:
    • Navigate to the page: browser_navigate("http://localhost:8080/social-feed")
    • Search for the localization object in the browser console.
    • Candidate Variable Name (Inferred): window.wp_social_ninja_admin_data or window.wpsn_config.
    • Command: browser_eval("window.wp_social_ninja_admin_data?.nonce")
  4. Action Matching: Check if the nonce used for getAdvanceSettings is the same as the general plugin nonce (often wpsn_nonce or wp_social_ninja_nonce).

5. Exploitation Strategy

Phase 1: Information Disclosure (getAdvanceSettings)

HTTP Request:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=wpsn_get_advanced_settings&nonce=[EXTRACTED_NONCE] (Note: Action name must be confirmed via grep).

Phase 2: Configuration Modification (saveAdvanceSettings)

HTTP Request:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=wpsn_save_advanced_settings&nonce=[EXTRACTED_NONCE]&settings[custom_css]=/*+Exploit+Successful+*/&settings[debug_mode]=true
    
    (Note: The exact structure of the settings parameter must be determined by the output of Phase 1).

6. Test Data Setup

  1. Install Plugin: Ensure WP Social Ninja <= 4.0.1 is active.
  2. Enable Features: If the advanced settings menu is only available when certain modules are active, enable them:
    wp option update wpsn_modules '{"reviews": "yes", "feeds": "yes"}' --format=json
    
  3. Create Public Page: As described in Section 4, create a page with a plugin shortcode to trigger nonce localization.

7. Expected Results

  • Disclosure: The getAdvanceSettings request should return a 200 OK with a JSON body containing the current plugin configuration.
  • Modification: The saveAdvanceSettings request should return {"success": true}.
  • Impact: Administrative settings will be updated without the attacker providing any login credentials.

8. Verification Steps

After performing the saveAdvanceSettings request, verify the change via WP-CLI:

# Check the specific option where settings are stored
wp option get wpsn_advanced_settings --format=json

Ensure that the values injected in the payload (e.g., debug_mode or custom_css) now reflect the attacker's input.

9. Alternative Approaches

If the vulnerability is via the REST API instead of AJAX:

  1. Find Routes: grep -r "register_rest_route" .
  2. Identify Controller: Look for getAdvanceSettings within the permission_callback of the route definition.
  3. Payload: Use the same logic but send a JSON POST request to wp-json/wp-social-ninja/v1/settings/advanced.
  4. Nonce: The REST API requires the X-WP-Nonce header for authenticated requests, but if the vulnerability is unauthenticated, it may not require a nonce at all if the permission_callback is __return_true.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Social Ninja plugin for WordPress is vulnerable to unauthorized access and modification of its advanced settings due to a lack of capability checks in the getAdvanceSettings and saveAdvanceSettings functions. This vulnerability allows unauthenticated users to retrieve sensitive configuration data or change plugin settings by interacting with the exposed AJAX or REST API endpoints.

Exploit Outline

An attacker can exploit this vulnerability by identifying the AJAX or REST API actions associated with the plugin's advanced settings, such as 'wpsn_get_advanced_settings' and 'wpsn_save_advanced_settings'. By obtaining a security nonce from the public-facing side of the site—typically found in localized JavaScript variables like 'wp_social_ninja_admin_data'—the attacker can send unauthenticated POST requests to disclose or update plugin settings without requiring administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.