WordPress Plugin Vulnerabilities

Smash Balloon Social Post Feed < 4.2.2 - Facebook Token Reset/Update via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the maybe_source_connection_data() function, allowing attacker to reset and set an arbitrary Facebook Token via a CSRF attack

Affects Plugins

Plugin icon
custom-facebook-feed
Fixed in 4.2.2

References

CVE
CVE-2024-31379
URL
https://patchstack.com/database/vulnerability/custom-facebook-feed/wordpress-smash-balloon-social-post-feed-plugin-4-2-1-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
57002393-b576-41ac-ba22-76300f6a1173

Timeline

Publicly Published
2024-04-10 (about 2 years ago)
Added
2024-04-17 (about 2 years ago)
Last Updated
2024-04-17 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Cardoza WordPress Poll <= 34.05 - Multiple External Function Remote Poll Manipulation
Published
2023-11-08
Title
WP Full Stripe Free < 7.0.18 - Settings Update via CSRF
Published
2025-07-21
Title
CBX Restaurant Booking <= 1.2.1 - Plugin Reset via CSRF
Published
2021-08-16
Title
Post Carousel < 2.3.5 - CSRF Bypass / Unauthorised AJAX Calls
Published
2025-03-11
Title
WP jQuery Persian Datepicker <= 0.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting