The Smash Balloon Social Post Feed WordPress plugin prior to 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
smashballoon smash balloon social post feed |