Smash Balloon Social Photo Feed Easy Social Feeds Plugin
Monthly
Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the `maybe_connection_data` function, WordPress's primary CSRF defense mechanism. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, a patch changeset is confirmed in the WordPress plugin repository.
Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the `maybe_connection_data` function, WordPress's primary CSRF defense mechanism. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, a patch changeset is confirmed in the WordPress plugin repository.