CVE-2024-31379
- EPSS 0.16%
- Veröffentlicht 15.04.2024 11:15:09
- Zuletzt bearbeitet 21.11.2024 09:13:24
Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Smash Balloon Social Post Feed.This issue affects Smash Balloon Social Post Feed: from n/a through 4.2.1.
CVE-2022-4477
- EPSS 0.2%
- Veröffentlicht 16.01.2023 16:15:12
- Zuletzt bearbeitet 04.04.2025 18:15:45
The Smash Balloon Social Post Feed WordPress plugin before 4.1.6 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cro...
CVE-2021-25065
- EPSS 3.14%
- Veröffentlicht 17.01.2022 13:15:08
- Zuletzt bearbeitet 21.11.2024 05:54:17
The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.
CVE-2021-24918
- EPSS 0.18%
- Veröffentlicht 29.11.2021 09:15:08
- Zuletzt bearbeitet 21.11.2024 05:54:00
The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScr...
CVE-2021-24508
- EPSS 15.85%
- Veröffentlicht 13.09.2021 18:15:15
- Zuletzt bearbeitet 21.11.2024 05:53:12
The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version ...