Page 2 of 8 results (0.003 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2021-25065 – Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)

https://notcve.org/view.php?id=CVE-2021-25065

The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. El plugin Smash Balloon Social Post Feed de WordPress versiones anteriores a 4.1.1, estaba afectado por un ataque de tipo XSS reflejado en custom-facebook-feed en la página de administración cff-top • https://wpscan.com/vulnerability/ae1aab4e-b00a-458b-a176-85761655bdcc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2021-24918 – Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to Stored XSS

https://notcve.org/view.php?id=CVE-2021-24918

The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages. El plugin Smash Balloon Social Post Feed de WordPress versiones anteriores a 4.0.1, no presentaba ninguna comprobación de privilegios o nonce antes de guardar la configuración del plugin. Como resultado, cualquier usuario conectado en un sitio vulnerable podía actualizar la configuración y almacenar JavaScript falso en cada una de sus publicaciones y páginas • https://jetpack.com/2021/10/29/security-issues-patched-in-smash-balloon-social-post-feed-plugin https://wpscan.com/vulnerability/5d252ad7-bf28-44f3-8cd0-c4fe05c48f35 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

CVE-2021-24508 – Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS

https://notcve.org/view.php?id=CVE-2021-24508

The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator. El plugin Smash Balloon Social Post Feed de WordPress versiones anteriores a 2.19.2, no sanea ni escapa del parámetro feedID POST en su acción feed_locator AJAX (disponible tanto para usuarios autenticados como no autenticados) antes de mostrar una versión truncada de la misma en el panel de administración, conllevando a un problema de tipo Cross-Site Scripting Almacenado no autenticado que se ejecutará en el contexto de un administrador conectado • https://wpscan.com/vulnerability/2b543740-d4b0-49b5-a021-454a3a72162f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •