WordPress Plugin Vulnerabilities

Smash Balloon Instagram Feed < 6.9.1 - Contributor+ Stored XSS via `data-plugin` Attribute

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
instagram-feed
Fixed in 6.9.1

References

CVE
CVE-2025-4583
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/23e47daa-79e7-4ed3-a88a-0f090e9aa277

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Asaf Mozes
Verified
No
WPVDB ID
e23b086a-6168-4e50-b790-72228be7a15a

Timeline

Publicly Published
2025-05-28 (about 9 months ago)
Added
2025-05-30 (about 9 months ago)
Last Updated
2025-05-30 (about 9 months ago)

Other

Published
Title
Published
2025-12-07
Title
Make Section & Column Clickable For Elementor < 2.4.1 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2025-04-09
Title
Link Shield <= 0.5.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2022-12-01
Title
Google Apps Login < 3.4.5 - Admin+ Stored XSS
Published
2024-04-15
Title
Netgsm < 2.9.1 - Reflected Cross-Site Scripting
Published
2024-02-12
Title
Ultimate Reviews < 3.2.9 - Unauthenticated stored Cross-Site Scripting via reviews