cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forinstagram-feed instagram-feed

Direction: ascending
Jun 07, 2024

Smash Balloon Social Photo Feed – Best Social Feed Plugin for WordPress # 0f602c2fa3da61fde88d461b5bfa94514dba3dee

Date
Feb 07, 2018
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 1.6 WordPress Instagram Feed plugin <=1.5.1 - Cross-Site Scripting (XSS) vulnerability Cross-Site Scripting (XSS) vulnerability found Dumpcore in WordPress Instagram Feed plugin (versions <=1.5.1).
Affected versions
max 1.6.
Status
vulnerable
May 30, 2025

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # CVE-2025-4583

CVE, Research URL

CVE-2025-4583

Date
May 29, 2025
Research Description
The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 (Free) and 6.8.0 (Pro) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 6.9.1.
Status
vulnerable
Feb 27, 2026

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # PSC-2026-64623

PSC, Research URL

PSC-2026-64623

Date
Feb 27, 2026
Research Description
Social feed plugins are valuable for keeping a website fresh, but they also expand the attack surface because they integrate with external platforms, render dynamic content on the front end, and store configuration that can include display templates, access tokens, and connection metadata. Weaknesses in access control, request integrity, or output handling can translate into stored XSS in rendered feed elements, CSRF-driven settings changes, data leakage through misprotected endpoints, or unsafe exposure of integration state. Smash Balloon Social Photo Feed – Easy Social Feeds Plugin version 6.10.0 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64623, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for social media embedding and feed-rendering plugins.
Affected versions
Min 6.11.3, max 6.11.3.
Status
SAFE & CERTIFIED
Jun 16, 2026

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # cff60996de18d96c853c179f6dd70c33a7a6fa31

Date
Mar 05, 2019
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 1.12 Smash Balloon Social Photo Feed <= 1.11.3 - Cross-Site Request Forgery to Back-Up Deletion The Smash Balloon Social Photo Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.3. This is due to missing or incorrect nonce validation on the sbi_clear_backups() function. This makes it possible for unauthenticated attackers to clear the plugins back-ups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.12.
Status
vulnerable

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # 6c4256eeb71c37c6520e635a4f6b8122301d34e8

Date
Jan 18, 2018
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 1.6 Smash Balloon Social Photo Feed <= 1.5.1 - Reflected Cross-Site Scripting The Smash Balloon Social Photo Feed plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘access_token’ parameter in versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 1.6.
Status
vulnerable

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # d9a57a3a-251b-46cc-8f42-0c64657aaaa3

Date
-
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 1.4.7 Instagram Feed &lt;= 1.4.6.2 - Authenticated Cross-Site Scripting (XSS) &amp; CSRF The Smash Balloon Social Photo Feed WordPress plugin was affected by an Authenticated Cross-Site Scripting (XSS) &amp; CSRF security vulnerability.
Affected versions
max 1.4.7.
Status
vulnerable

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # e766e165-1a05-4065-9e71-27b528641dd2

Date
-
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 2.9.2 Multiple Plugins from Smash Balloon - Reflected Cross-Site Scripting The plugins do not properly sanitise the URL generated to dismiss the New Users notifications, leading to a reflected Cross-Site Scripting issue
Affected versions
max 2.9.2.
Status
vulnerable

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # 4cd4f9d7a71cd609f161d10286616a84533e6de4

Date
Nov 21, 2016
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 1.4.7 WordPress Instagram Feed Plugin <= 1.4.6.2 - Cross Site Request Forgery Because of this vulnerability, attackers can perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. Update the plugin.
Affected versions
max 1.4.7.
Status
vulnerable

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # 63d036bf8354801dd02167b4cc6a671f96fb03ce

Date
Jul 20, 2021
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 2.9.2 Smash Balloon Plugins (Various Versions) - Reflected Cross-Site Scripting Several Smash Balloon Plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via URLs in various versions due to insufficient input sanitization and output escaping with the use of add_query_arg. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 2.9.2.
Status
vulnerable

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # 186f32c07afa9283cdfb606de43cacac95ab248f

Date
Nov 19, 2016
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 1.4.7 Smash Balloon Social Photo Feed <= 1.4.6.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting The Smash Balloon Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in the settings page in versions up to, and including, 1.4.6.2 due to insufficient input sanitization and output escaping and missing nonce validation. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.4.7.
Status
vulnerable

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # ef357b6f-b37c-43e0-94fe-60ae6d8f68bc

Date
-
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 1.12 Instagram Feed &lt;= 1.11.3 - Unspecified Issues The Smash Balloon Social Photo Feed WordPress plugin was affected by an Unspecified Issues security vulnerability.
Affected versions
max 1.12.
Status
vulnerable

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # 36d33de7-655e-40d9-9745-ed2e10836360

Date
-
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 1.6 Instagram Feed &lt;= 1.5.1 - Cross-Site Scripting (XSS) The Smash Balloon Social Photo Feed WordPress plugin was affected by a Cross-Site Scripting (XSS) security vulnerability.
Affected versions
max 1.6.
Status
vulnerable
Jul 08, 2026

Smash Balloon Social Photo Feed &#8211; Best Social Feed Plugin for WordPress # CVE-2026-12002

CVE, Research URL

CVE-2026-12002

Date
-
Research Description
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 6.11.2 CVE-2026-12002
Affected versions
max 6.11.2.
Status
vulnerable