Skip to main content

Smash Balloon Social Post Feed

3 CVEs product

Monthly

CVE-2025-4577 MEDIUM This Month

The Smash Balloon Social Post Feed - Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Smash Balloon Social Post Feed PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-24918 MEDIUM POC This Month

The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smash Balloon Social Post Feed
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24508 MEDIUM POC This Month

The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smash Balloon Social Post Feed
NVD WPScan
CVSS 3.1
6.1
EPSS
1.3%
EPSS 0% CVSS 6.4
MEDIUM This Month

The Smash Balloon Social Post Feed - Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Smash Balloon Social Post Feed +1
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smash Balloon Social Post Feed
NVD WPScan
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smash Balloon Social Post Feed
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy