Vulnerabilities > CVE-2021-24508 - Unspecified vulnerability in Smashballoon Smash Balloon Social Post Feed

CVSS 6.1 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

smashballoon

NVD

Published: 2021-09-13

Updated: 2024-11-21

Summary

The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator.

Vulnerable Configurations

Part	Description	Count
Application	Smashballoon Smashballoon Smash Balloon Social Post Feed *	1

References

https://wpscan.com/vulnerability/2b543740-d4b0-49b5-a021-454a3a72162f
https://wpscan.com/vulnerability/2b543740-d4b0-49b5-a021-454a3a72162f