Browse all 3 CVE security advisories affecting Smash Balloon. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Smash Balloon develops social media feed plugins that allow websites to display content from platforms like Instagram, Facebook, and YouTube. Historically, the plugin has been susceptible to multiple cross-site scripting (XSS) vulnerabilities, including stored XSS that could allow attackers to inject malicious scripts into user browsers. One critical vulnerability (CVE-2021-24966) enabled remote code execution through unauthenticated REST API endpoints. The plugin's extensive user base and direct integration with social platforms make it a high-impact target. While recent versions have addressed many issues, the plugin's complex functionality and frequent updates continue to present potential security risks that require careful configuration and maintenance.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2024-31379 | WordPress Smash Balloon Social Post Feed plugin <= 4.2.1 - Cross Site Request Forgery (CSRF) vulnerability — Smash Balloon Social Post FeedCWE-352 | 4.3 | Medium | 2024-04-15 |
| CVE-2023-52136 | WordPress Custom Twitter Feeds (Tweets Widget) Plugin <= 2.1.2 is vulnerable to Cross Site Request Forgery (CSRF) — Custom Twitter Feeds – A Tweets Widget or X Feed WidgetCWE-352 | 4.3 | Medium | 2024-01-05 |
| CVE-2022-33974 | WordPress Custom Twitter Feeds (Tweets Widget) Plugin <= 1.8.4 is vulnerable to Cross Site Request Forgery (CSRF) — Custom Twitter Feeds (Tweets Widget)CWE-352 | 5.4 | Medium | 2023-05-29 |
This page lists every published CVE security advisory associated with Smash Balloon. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.