cleantalk
Vulnerabilities and Security Researches

Smash Balloon Social Photo Feed – Best Social Feed Plugin for WordPress, CVE-2025-4583

CVE, Research URL

CVE-2025-4583

Home page URL

Security reports for Smash Balloon Social Photo Feed – Best Social Feed Plugin for WordPress

Application

Smash Balloon Social Photo Feed – Best Social Feed Plugin for WordPress

Published on
May 29, 2025
Research Description
The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 6.9.1.
Status
vulnerable
Previous vulnerability researches
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction (CVE-2024-11291) , Dec 19, 2024
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction (CVE-2024-12919) , Jan 15, 2025
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction (CVE-2025-31088) , Apr 02, 2025
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction (CVE-2021-24728) , Jun 07, 2024
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction (CVE-2024-32728) , Jun 07, 2024
New vulnerability
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce (CVE-2025-48125) , May 31, 2025
Minimal Share Buttons (CVE-2025-5259) , May 30, 2025
LA-Studio Element Kit for Elementor (CVE-2025-4943) , May 30, 2025
LA-Studio Element Kit for Elementor (CVE-2025-4944) , May 30, 2025
Essential Real Estate (CVE-2025-48126) , May 30, 2025