CVE-2021-24918

CVE-2021-24918: Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to Stored XSS

Vendor Unknown

Product Smash Balloon Social Post Feed

Weakness CWE-79 · XSS

Published November 29, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.

Key dates

02Disclosure timeline

November 29, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24918

Related vulnerabilities

04Related CVE

CVE-2021-24134 Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS CVE-2026-2437 WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode CVE-2023-26017 WordPress Jobs for WordPress Plugin <= 2.5.10.2 is vulnerable to Cross Site Scripting (XSS) CVE-2025-11763 Display Pages Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-0433 Master Addons <= 2.0.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter