Smash Balloon Social Post Feed, a WordPress plugin, was discovered to have a vulnerability that exposed the websites to allowing an attacker to upload malicious scripts. Security researchers at Jetpack discovered the vulnerability and notified the plugin publishers who patched it and released a fixed version, version 4.0.1. Versions prior to that one are vulnerable.
Smash Balloon Social Post Feed
Smash Balloon Social Post Feed WordPress plugin takes Facebook feeds and turns them into posts on a WordPress site.
The free version of the plugin is designed to display Facebook posts in a way that matches the look and feel of the site the Facebook content is republished on. The paid “pro” version also republishes images, videos and comments.
Advertisement
Continue Reading Below
Stored Cross‑Site Scripting via Arbitrary Setting Update
A Stored Cross‑Site Scripting exploit (Stored XSS) is a form of cross site scripting vulnerability that allows a malicious attacker to upload and permanently store harmful scripts on the server itself.
Thee non-profit Open Web Application Security Project (OWASP) describes Stored XSS vulnerabilities:
“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database….
The victim then retrieves the malicious script from the server when it requests the stored information.”