EPSS
Percentile
21.4%
The plugin did not have any privilege or nonce validation before saving the plugin’s setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.
jetpack.com/2021/10/29/security-issues-patched-in-smash-balloon-social-post-feed-plugin/