Skip to main content

Social Photo Feed CVE-2026-12002

| EUVDEUVD-2026-42230 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-08 Wordfence GHSA-gwh5-3rc2-hm72
4.7
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
vuln.today AI
4.7 MEDIUM

AV:N and PR:N reflect unauthenticated network delivery; UI:R captures mandatory admin interaction; S:C and I:L reflect integrity impact on external Meta API tokens only.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 13:24 vuln.today
CVE Published
Jul 08, 2026 - 12:33 nvd
MEDIUM 4.7

DescriptionCVE.org

The Smash Balloon Social Photo Feed - Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybe_connection_data function. This makes it possible for unauthenticated attackers to overwrite the site's Instagram and Facebook oEmbed access tokens via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the maybe_connection_data function, WordPress's primary CSRF defense mechanism. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Phish site administrator with malicious link
Delivery
Administrator clicks while authenticated to WordPress
Exploit
Browser sends forged cross-origin POST with attacker token values
Execution
Server skips nonce validation on maybe_connection_data
Persist
Instagram/Facebook oEmbed tokens overwritten
Impact
Social feed disrupted or API credentials redirected

Vulnerability AssessmentAI

Exploitation Exploitation requires that a WordPress site administrator with plugin management privileges be actively logged into the WordPress backend and be induced to click a malicious link or visit an attacker-controlled page - the CVSS UI:R metric confirms this active interaction is mandatory and cannot be bypassed remotely. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.7 (Medium) is consistent with the attack profile: AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a webpage containing a hidden form or JavaScript fetch that issues a POST request to the target WordPress site's `maybe_connection_data` endpoint with attacker-controlled oEmbed token values. The attacker delivers a link to this page via phishing email to the site administrator; when the administrator clicks the link while their WordPress session is active, the browser automatically includes the session cookie and the server - lacking nonce validation - accepts the forged request and overwrites the stored Instagram and Facebook API tokens. …
Remediation Update the Smash Balloon Social Photo Feed - Easy Social Feeds Plugin to a version above 6.11.1 - an upstream fix is confirmed in WordPress Trac changeset 3575933 targeting instagram-feed/trunk/admin/SBI_oEmbeds.php (https://plugins.trac.wordpress.org/changeset/3575933/instagram-feed/trunk/admin/SBI_oEmbeds.php); however, the exact version number of the released patched plugin has not been independently confirmed from available data, so verify the current stable release in the WordPress plugin directory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy