During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account on the vulnerable site, like subscribers. Some of these endpoints could enable Stored Cross-Site Scripting (XSS) attacks to occur.
A successful Stored XSS attack could enable bad actors to store malicious scripts on every post and page of the affected site. If a logged-in administrator visits one of the affected URLs, the script may run on their browser and execute administrative actions on their behalf, like creating new administrators and installing rogue plugins.
We reported the vulnerabilities to this plugin's author via email, and they recently released version 4.0.1 to address them. We strongly recommend that you update to the latest version of the Smash Balloon Social Post Feed plugin and have an established security solution on your site, such as Jetpack Security.
Read more of this post
WordPress.com
![[THE LATEST] Inside hell's kitchen 👩🏽🍳](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uk3yV5gPuoQ06JRkpm-IRp6q_sJTV_9rY-gAiIRVrE7x1FMPv0fJ7qpNt9yqLpZcU73dY_x9DgYR0c3a5UtjpbFLcBQURaC_9BxVk9c2-Xk6sSkw6-6cLFcMeaJr59pGmjmlDYy1wvns3JVQ-gZeCfwylHc-84nEzDHz2KmQS9N4VgCC86U5K_Ln7Hnt4GxpzEK5dSnLl8L5RlmNMSGnN4zJo5-l2-E9gqOMiBQRw3k1zz0SNMXP9kduvugSg32zVmbFJNzND3godShAd5K9w=w72-h72-p-k-no-nu)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.