CVE-2021-24918

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 60.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Smash Balloon Social Post Feed Smashballoon Smash Balloon Social Post Feed

Timeline

PublishedNov 29

Latest updateNov 30

Description

The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/smash_balloon_social_post_feed4.0.1 — 4.0.1

▶NVDsmashballoon/smash_balloon_social_post_feed< 4.0.1

🔴Vulnerability Details

GHSA

GHSA-j9qp-w82r-g5cf: The Smash Balloon Social Post Feed WordPress plugin before 4↗2021-11-30

▶

CVEList

Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to Stored XSS↗2021-11-29

▶

VulnCheck

smashballoon smash_balloon_social_post_feed Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')↗2021

▶