cleantalk
Vulnerabilities and Security Researches

Flow-Flow Social Feed Stream, CVE-2025-13866

CVE, Research URL

CVE-2025-13866

Home page URL

Security reports for Flow-Flow Social Feed Stream

Application

Flow-Flow Social Feed Stream

Published on
Dec 12, 2025
Research Description
The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings and store arbitrary JavaScript that executes whenever the plugin settings page is viewed.
Affected versions
max 4.7.5.
Status
vulnerable
Previous vulnerability researches
Flow-Flow Social Feed Stream (CVE-2025-13866) , Jan 10, 2026
Flow-Flow Social Feed Stream (f323f92085eab76ce72ef3e953ee307aa7c527e3) , Jun 07, 2024
Flow-Flow Social Feed Stream (23c7c3e3baf6eecf985cedf59fc7fb4e69633043) , Jun 16, 2026
Flow-Flow Social Feed Stream (8354b34e-40f4-4b70-bb09-38e2cf572ce9) , Jun 16, 2026
New vulnerability
leenk.me (753d31765913b4d2dbb8af0a5512e5f1f8c70c61) , Jun 16, 2026
Social Hashtags (5abd4657-8a58-4d97-b8cb-b67235ab5b8a) , Jun 16, 2026
Social Hashtags (1965c7b04565befbb11c28b56cb6922733a47b03) , Jun 16, 2026
Social Hashtags (a7cf6766582e354e702766a86f85716127d19bdc) , Jun 16, 2026
Simple Calendar – Google Calendar Plugin (e98a6264-9c5a-417f-b2f8-bd0017b411a0) , Jun 16, 2026