CVE-2021-24508: Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS
First published: Mon Sep 13 2021(Updated: )
The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Smashballoon Smash Balloon Social Post Feed | <2.19.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-24508?
CVE-2021-24508 is a vulnerability found in the Smash Balloon Social Post Feed WordPress plugin before version 2.19.2.
What is the severity of CVE-2021-24508?
CVE-2021-24508 has a severity level of medium with a CVSS score of 6.1.
How does CVE-2021-24508 affect the Smash Balloon Social Post Feed plugin?
CVE-2021-24508 affects the Smash Balloon Social Post Feed plugin before version 2.19.2 by not properly sanitizing or escaping the feedID POST parameter in its feed_locator AJAX action.
Who is affected by CVE-2021-24508?
Users of the Smash Balloon Social Post Feed plugin before version 2.19.2 are affected by CVE-2021-24508.
How can I fix CVE-2021-24508?
To fix CVE-2021-24508, update the Smash Balloon Social Post Feed plugin to version 2.19.2 or later.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/smashballoon
- canonical/smashballoon smash balloon social post feed