CVE-2021-25065
published 2022-01-17CVE-2021-25065: The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.
PriorityP429medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
1.22%
64.8th percentile
The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smashballoon | smash_balloon_social_post_feed | < 4.1.1 | 4.1.1 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2021-25065 [MEDIUM] Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting
Smash Balloon Social Post Feed ")'
- 'contains(body_2, "custom-facebook-feed")'
condition: and
# digest: 4a0a004730450221008c275df7e9f4e0c89c0a323835c158dd14589f0d71a3e2d95eb0884beb050a0102206426fc78f457db28aeea4b9a1f5745eb923e626b0eaae06d8fd700005aa12d18:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2022-01-17
Published