Unrated severityNVD Advisory· Published Nov 29, 2021· Updated Aug 3, 2024

Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to Stored XSS

CVE-2021-24918

Description

The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.

Affected products

Unknown/Smash Balloon Social Post Feedv5
Range: 4.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

jetpack.com/2021/10/29/security-issues-patched-in-smash-balloon-social-post-feed-plugin/mitrex_refsource_MISC
wpscan.com/vulnerability/5d252ad7-bf28-44f3-8cd0-c4fe05c48f35mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000