Really Simple Security logo

Log out
Get PRO

Latest

Input validation vulnerability in 4 Smash Balloon plugins

  • Severity: medium-risk
  • Status: Fixed
  • Publication: July 20, 2021

Several plugins for WordPress created by Smash Balloon have a security vulnerability that could allow an attacker to inject malicious code into webpages. If an attacker can convince a user to click on a link or take another action, the malicious code would be executed. This is because the plugins do not properly sanitize user input and escape output, which makes it possible for the attacker to use add_query_arg to insert the malicious code.

Detected in:

Custom Twitter Feeds – A Tweets Widget or X Feed Widget fixed vulnerable versions:
Custom Twitter Feeds (Tweets Widget) fixed vulnerable versions: >= * <= 1.8.1
Feeds for YouTube (YouTube video, channel, and gallery plugin) fixed vulnerable versions: >= * <= 1.4.1
Smash Balloon Social Photo Feed fixed vulnerable versions: >= * <= 2.9.1
Smash Balloon Social Photo Feed – Best Social Feed Plugin for WordPress fixed vulnerable versions:
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin fixed vulnerable versions:
Smash Balloon Social Post Feed fixed vulnerable versions: >= * <= 2.19.1
Smash Balloon Social Post Feed – Customizable Social Feeds Plugin fixed vulnerable versions:
Smash Balloon Social Post Feed – Simple Social Feeds for WordPress fixed vulnerable versions:

This information is sourced from www.wpvulnerability.com. An open-source database of vulnerabilities maintained by the community. Help us out by submitting vulnerabilities!

Version compare shows which versions have a vulnerability. For example: >= 2.2.8 <= 2.2.21 means:

> from 2.2.8
= including 2.2.8 & 2.2.21
< to 2.2.21

  • Incorrect?

Is this information incorrect? Please leave us a message.