Stored XSS in WP Social Ninja Plugin for WordPress
CVE-2025-13007

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (google Reviews, Youtube Feed, Photo Feeds, And More)
Vendor: CVE Published:; 2 December 2025

What is CVE-2025-13007?

The WP Social Ninja plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping for content sourced externally. All versions up to and including 3.20.3 are impacted, enabling unauthenticated attackers to insert arbitrary scripts that execute when users access affected pages. This exploitation requires the attacker to post harmful content to platforms such as Google Business Profile or Facebook, posing significant security risks to users and their web pages.

Affected Version(s)

WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) * <= 3.20.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-social-revi...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2025
Vulnerability Reserved
Nov 11, 2025

Credit

Kishan Vyas

JSON