CVE-2020-36739: 
WordPress vulnerability analysis and mitigation

The Feed Them Social – Page, Post, Video, and Photo Galleries WordPress plugin (versions up to and including 2.8.6) was identified with a Cross-Site Request Forgery (CSRF) vulnerability. The vulnerability was discovered in September 2020 and was assigned CVE-2020-36739. The issue affects the my_fts_fb_load_more() function due to missing or incorrect nonce validation (NVD).

The vulnerability stems from improper nonce validation in the my_fts_fb_load_more() function. Specifically, the security check in includes/feed-them-functions.php only validates the nonce if both $_REQUEST['fts_security'] and $_REQUEST['fts_time'] parameters are set, creating a security bypass condition. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (Wordfence).

The vulnerability allows unauthenticated attackers to load feeds via forged requests if they can trick a site administrator into performing specific actions, such as clicking on a malicious link. This could potentially lead to unauthorized content manipulation (NVD).

Users should update the Feed Them Social plugin to a version newer than 2.8.6 to address this vulnerability. The fix has been implemented in subsequent versions through proper nonce validation (WordPress Plugin).