CVE-2025-13866
Unauthorized JavaScript Injection in Flow-Flow Social Feed Plugin
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | flow-flow_social_feed_stream | 4.7.5 |
| wordfence | flow-flow_social_feed_stream | 3.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Subscriber-level access to modify plugin settings and inject arbitrary JavaScript that executes on the plugin settings page. This unauthorized modification capability could lead to data integrity issues and potential unauthorized access or exposure of personal data managed by the plugin. Such risks may impact compliance with standards like GDPR and HIPAA, which require protection of personal data and prevention of unauthorized data modification or access. However, specific compliance impacts are not detailed in the provided resources. [1, 3]
Can you explain this vulnerability to me?
This vulnerability exists in the Flow-Flow Social Feed Stream plugin for WordPress, where a missing capability check on the flow_flow_social_auth AJAX action allows authenticated users with Subscriber-level access or higher to modify plugin settings. This enables them to store arbitrary JavaScript code that executes whenever the plugin settings page is viewed.
How can this vulnerability impact me? :
An attacker with Subscriber-level access or higher can exploit this vulnerability to modify plugin settings and inject arbitrary JavaScript code. This could lead to unauthorized actions within the WordPress site, potential compromise of site integrity, and execution of malicious scripts when the plugin settings page is accessed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized modification of plugin settings via the flow_flow_social_auth AJAX action by authenticated users with Subscriber-level access or higher. To detect exploitation attempts, monitor HTTP requests to the WordPress admin AJAX endpoint (typically /wp-admin/admin-ajax.php) for calls to the 'flow_flow_social_auth' action from users with low privileges. You can use web server logs or network monitoring tools to filter such requests. For example, using grep on Apache logs: `grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'flow_flow_social_auth'` to find suspicious AJAX calls. Additionally, check for unexpected changes in plugin settings or presence of arbitrary JavaScript in the plugin settings page. There are no specific commands provided in the resources, but monitoring AJAX requests and plugin settings changes is recommended. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the plugin settings page to trusted users only, as the vulnerability allows Subscriber-level users to modify settings. Update the Flow-Flow Social Feed Stream plugin to a version later than 4.7.5 where the missing capability check on the flow_flow_social_auth AJAX action is fixed. If an update is not immediately available, consider disabling the plugin temporarily or restricting AJAX access to the vulnerable action via custom code or security plugins. Also, review and clean any unauthorized JavaScript stored in the plugin settings to prevent malicious code execution. [3]