WordPress Plugin Vulnerabilities

Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to Stored XSS

Description

The plugin did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.

Affects Plugins

Plugin icon
custom-facebook-feed
Fixed in 4.0.1

References

CVE
CVE-2021-24918
URL
https://jetpack.com/2021/10/29/security-issues-patched-in-smash-balloon-social-post-feed-plugin/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.3 (high)

Miscellaneous

Original Researcher
Marc Montpas
Submitter
Marc Montpas (Jetpack Scan)
Submitter website
https://jetpack.com/
Submitter twitter
marcS0H
Verified
Yes
WPVDB ID
5d252ad7-bf28-44f3-8cd0-c4fe05c48f35

Timeline

Publicly Published
2021-10-29 (about 4 years ago)
Added
2021-10-29 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-04-17
Title
LoginPress Pro < 3.0.0 - Captcha Bypass
Published
2024-08-24
Title
PowerPack Pro for Elementor < 2.10.15 - Contributor+ Privilege Escalation
Published
2022-01-03
Title
TrustMate.io integration for WooCommerce < 1.7.1 - Subscriber+ Arbitrary Blog Option Update
Published
2024-01-08
Title
ElementsKit Lite < 3.0.4 - Unauthenticated Sensitive Information Exposure
Published
2021-07-12
Title
Advanced Menu Manager < 3.0.7 - Unauthorised Menu Creation/Deletion