CVE-2025-13866
📋 TL;DR
This vulnerability in the Flow-Flow Social Feed Stream WordPress plugin allows authenticated attackers with Subscriber-level access or higher to modify plugin settings and inject malicious JavaScript. The stored JavaScript executes whenever the plugin settings page is viewed, enabling cross-site scripting attacks. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Flow-Flow Social Feed Stream WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject persistent JavaScript payloads that steal administrator credentials, redirect users to malicious sites, or deface the website when any user views the plugin settings page.
Likely Case
Attackers with subscriber accounts inject malicious JavaScript that executes when administrators view plugin settings, potentially leading to session hijacking or privilege escalation.
If Mitigated
With proper access controls and input validation, the impact is limited to unauthorized plugin setting changes without code execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has subscriber-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.6
Vendor Advisory: https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/FlowFlowActivator.php#L224
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Flow-Flow Social Feed Stream. 4. Click 'Update Now' if available, or download version 4.7.6+ from WordPress repository. 5. Replace plugin files with patched version.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the vulnerable plugin until patched version can be installed.
wp plugin deactivate flow-flow-social-streams
wp plugin delete flow-flow-social-streams
Restrict user registration
allDisable new user registration to prevent attackers from creating subscriber accounts.
wp option update users_can_register 0
🧯 If You Can't Patch
- Disable the Flow-Flow Social Feed Stream plugin completely.
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Flow-Flow Social Feed Stream version. If version is between 3.0.0 and 4.7.5 inclusive, the site is vulnerable.Check Version:
wp plugin get flow-flow-social-streams --field=versionVerify Fix Applied:
Verify plugin version is 4.7.6 or higher in WordPress admin panel. Test that non-administrator users cannot modify plugin settings via AJAX requests.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=flow_flow_social_auth from non-admin users
- Multiple failed authentication attempts followed by successful subscriber login
Network Indicators:
- HTTP POST requests to admin-ajax.php containing flow_flow_social_auth parameter from unexpected IP addresses
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "flow_flow_social_auth" AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/FlowFlowActivator.php#L224
- https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/db/FFDBManager.php#L24
- https://www.wordfence.com/threat-intel/vulnerabilities/id/065d01b6-30e0-4bc8-bd70-25996c2df879?source=cve
