WordPress Plugin Vulnerabilities

Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.

Proof of Concept

Affects Plugins

Plugin icon
custom-facebook-feed
Fixed in 4.1.1

References

CVE
CVE-2021-25065

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
ae1aab4e-b00a-458b-a176-85761655bdcc

Timeline

Publicly Published
2021-12-16 (about 4 years ago)
Added
2021-12-16 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2023-11-28
Title
Chart Builder < 1.9.7 - Admin+ Stored XSS
Published
2022-11-07
Title
Cyklodev WP Notify < 1.3.0 - Admin+ Stored XSS
Published
2025-11-10
Title
Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-11-20
Title
Grey Owl Lightbox <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-05
Title
Content Blocks (Custom Post Widget) < 3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting