CVE-2025-13386 MEDIUM

CVE-2025-13386: Social Images Widget <= 2.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion

Vendor Lyrathemes
Product Social Images Widget
Weakness CWE-862 · Missing authorization
Published November 25, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'options_update' function in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to delete the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

The Social Images Widget for WordPress contains a missing authorization check that allows unauthenticated attackers to modify widget settings over the network. An attacker can change how the widget displays or functions without needing to log in or interact with a site administrator. This affects all versions up to 2.1.

What an attacker can do

03Attacker Capabilities

Modify widget settings and content without authentication.

Potential impact on your site

04Site Impact

Widget behavior or display could be altered by an attacker without your knowledge or consent.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no login or user interaction required.

Key dates

06Disclosure timeline

November 25, 2025 CVE published
April 8, 2026 Record updated