Vulnerability in Smash Balloon Social Post Feed plugin versions 4.0.0 and earlier - Update Now

November 1, 2021

The Smash Balloon Social Post Feed plugin has a vulnerability in versions 4.0.0 and earlier. We recommend updating to version 4.0.1

During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), Jetpack discovered several sensitive AJAX endpoints were accessible to any users with an account on the vulnerable site, like subscribers. Some of these endpoints could enable Stored Cross-Site Scripting (XSS) attacks to occur. 

A successful Stored XSS attack could enable bad actors to store malicious scripts on every post and page of the affected site. If a logged-in administrator visits one of the affected URLs, the script may run on their browser and execute administrative actions on their behalf, like creating new administrators and installing rogue plugins.

Jetpack reported the vulnerabilities to this plugin’s author via email, and they recently released version 4.0.1 to address them.

We strongly recommend that you update to the latest version of the Smash Balloon Social Post Feed plugin.


Plugin Name: Smash Balloon Social Post Feed
Plugin URI:
Author: Smash Balloon
Author URI:

The Vulnerabilities

Stored Cross‑Site Scripting via Arbitrary Setting Update

Affected versions: < 4.0.1
CVE-ID: CVE-2021-24918
CVSSv3.1: 7.3
CWSS: 80.6

public function cff_save_settings() {
        $data = $_POST;
        $model = isset( $data[ 'model' ] ) ? $data['model'] : null;
        // return if the model is null
        if ( null === $model ) {
        // (...)
        $model = (array) \json_decode( \stripslashes( $model ) );
        $general = (array) $model['general'];
        $feeds = (array) $model['feeds'];
        $translation = (array) $model['translation'];
        $advanced = (array) $model['advanced'];
        // Get the values and sanitize
        $cff_locale                                                     = sanitize_text_field( $feeds['selectedLocale'] );
        $cff_style_settings                                     = get_option( 'cff_style_settings' );
        $cff_style_settings[ 'cff_timezone' ]   = sanitize_text_field( $feeds['selectedTimezone'] );
        $cff_style_settings[ 'cff_custom_css' ] = $feeds['customCSS'];
        $cff_style_settings[ 'cff_custom_js' ]  = $feeds['customJS'];
        $cff_style_settings[ 'gdpr' ]                   = sanitize_text_field( $feeds['gdpr'] );
        $cachingType                                                    = sanitize_text_field( $feeds['cachingType'] );
        $cronInterval                                                   = sanitize_text_field( $feeds['cronInterval'] );
        $cronTime                                                               = sanitize_text_field( $feeds['cronTime'] );
        $cronAmPm                                                               = sanitize_text_field( $feeds['cronAmPm'] );
        $cacheTime                                                              = sanitize_text_field( $feeds['cacheTime'] );
        $cacheTimeUnit                                                  = sanitize_text_field( $feeds['cacheTimeUnit'] );
        // Save general settings data
        update_option( 'cff_preserve_settings', $general['preserveSettings'] );
        // Save feeds settings data
        update_option( 'cff_locale', $cff_locale );
        // (...)
        // Save translation settings data
        foreach( $translation as $key => $val ) {
                $cff_style_settings[ $key ] = $val;
        // Save advanced settings data
        $cff_ajax = sanitize_text_field( $advanced['cff_ajax'] );
        foreach( $advanced as $key => $val ) {
                if ( $key == 'cff_disable_resize' || $key == 'disable_admin_notice' ) {
                        $cff_style_settings[ $key ] = !$val;
                } else {
                        $cff_style_settings[ $key ] = $val;
        // (...)
        update_option( 'cff_ajax', $cff_ajax );
        // Update the cff_style_settings option that contains data for translation and advanced tabs
        update_option( 'cff_style_settings', $cff_style_settings );
        // clear cron caches
        new CFF_Response( true, array(
                'cronNextCheck' => $this->get_cron_next_check()
        ) );

The wp_ajax_cff_save_settings AJAX action, which is responsible for updating the plugin’s inner settings, did not perform any privilege or nonce checks before doing so. This made it possible for any logged-in users to call this action and update any of the plugin’s settings.

Unfortunately, one of these settings, customJS, enables administrators to store custom JavaScript on their site’s posts and pages. Updating this setting is all it would’ve taken for a bad actor to store malicious scripts on the site.


We recommend that you check which version of the Smash Balloon Social Post Feed plugin your site is using, and if it is less than 4.0.1, update it as soon as possible!

Please remember to always have your backup enabled Daily backup or at least Weekly backup, because some attacks will be so heavy and dangerous that you might lose your entire site and it would be unable to recover it.

Source from Jetpack

Leave a Reply

Your email address will not be published. Required fields are marked *