Lucene search

WpvulndbWPVDB-ID:57002393-B576-41AC-BA22-76300F6A1173

HistoryApr 17, 2024 - 12:00 a.m.

Smash Balloon Social Post Feed < 4.2.2 - Facebook Token Reset/Update via CSRF

2024-04-1700:00:00

wpscan.com

plugin

csrf

facebook token

vulnerability

security

attack

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the maybe_source_connection_data() function, allowing attacker to reset and set an arbitrary Facebook Token via a CSRF attack

CPENameOperatorVersion
eq4.2.2

CPE	Name	Operator	Version
		eq	4.2.2

References

patchstack.com/database/vulnerability/custom-facebook-feed/wordpress-smash-balloon-social-post-feed-plugin-4-2-1-cross-site-request-forgery-csrf-vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for WPVDB-ID:57002393-B576-41AC-BA22-76300F6A1173