CVE-2022-4477: Smash Balloon Social Post Feed < 4.1.6 - Contributor+ Stored XSS
First published: Mon Jan 16 2023(Updated: )
The Smash Balloon Social Post Feed WordPress plugin before 4.1.6 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Smashballoon Smash Balloon Social Post Feed | <4.1.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID of this vulnerability is CVE-2022-4477.
What is the severity level of CVE-2022-4477?
The severity level of CVE-2022-4477 is medium (5.4).
What is the affected software in CVE-2022-4477?
The affected software in CVE-2022-4477 is the Smash Balloon Social Post Feed WordPress plugin before version 4.1.6.
What is the CWE classification of CVE-2022-4477?
The CWE classification of CVE-2022-4477 is CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')).
How can the vulnerability be exploited?
The vulnerability can be exploited by users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/severity
- agent/author
- agent/tags
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- vendor/smashballoon
- canonical/smashballoon smash balloon social post feed