CVE-2021-24508: WordPress Smash Balloon Plugin XSS Vulnerability (Cross-platform)

Stored Cross-Site Scripting (XSS) in Social Post Feed Plugin (< v2.19.2)

📢 Advisory Summary

Vulnerability Type: Stored XSS (CWE-79)

Affected Plugin: Smash Balloon Social Post Feed

Versions Impacted: < 2.19.2

CVSSv3 Score: 6.1 (Medium) [AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]

Attack Vector: Authenticated users (Contributor+)

🔍 Technical Impact

Malicious actors could:
✓ Inject arbitrary JavaScript via Instagram feed embeds
✓ Hijack admin sessions when viewed in dashboard
✓ Deface sites or redirect users

🛡️ Mitigation Steps

Immediate Action:

Upgrade to Smash Balloon Social Post Feed ≥ v2.19.2

Audit user roles (limit Contributor privileges)

Detection:

SQL :

SELECT * FROM wp_posts WHERE post_content LIKE '%[instagram-feed%';

Temporary Measure:
Remove [instagram-feed] shortcodes until patched

📌 Vendor Response

Patch Released: July 2021 (v2.19.2)

Changelog Reference: Fixed XSS in feed customization

📚 Additional Resources

WPScan Vulnerability Database

MITRE CVE Entry

OWASP XSS Prevention Sheet

#WordPressSecurity #XSS #WebSecurity #PatchManagement