WordPress Plugin Vulnerabilities

Smash Balloon Custom Facebook Feed < 4.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-color` Attribute

Description

The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
custom-facebook-feed
Fixed in 4.3.2

References

CVE
CVE-2025-4577
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ec3de7e2-4a29-401f-af2c-0ce78d768eae

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Asaf Mozes
Verified
No
WPVDB ID
18ef2008-c84d-467e-a372-7c3b25dfcaec

Timeline

Publicly Published
2025-06-09 (about 11 months ago)
Added
2025-06-09 (about 11 months ago)
Last Updated
2025-06-10 (about 11 months ago)

Other

Published
Title
Published
2019-06-24
Title
Custom 404 Pro < 3.2.8 - XSS
Published
2021-01-12
Title
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting
Published
2024-09-30
Title
Include Fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-26
Title
bbp topic count <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-31
Title
TradeMe widgets <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting