NewsWeb DevelopmentWordPress

A vulnerability in the WordPress Facebook Feed Plugin exposes over 200,000 websites

The vulnerability in the Smash Balloon Social Post Feed WordPress plugin exposes over 200,000 websites to a Stored XSS vulnerability.

Smash Balloon Social Post Feed, a WordPress plugin, was discovered to have a vulnerability that allowed an attacker to upload malicious scripts to the websites. Jetpack security researchers discovered the vulnerability and notified the plugin publishers, who patched it and released version 4.0.1. Versions prior to that one are at risk.

Social Post Feed for Smash Balloon

The Smash Balloon Social Post Feed WordPress plugin converts Facebook feeds into posts on a WordPress site.

The free version of the plugin is intended to display Facebook posts in a manner consistent with the look and feel of the site on which the Facebook content is republished. The paid “pro” version also allows you to republish images, videos, and comments.

Cross-Site Scripting via Arbitrary Setting Update

A Stored Cross-Site Scripting exploit (Stored XSS) is a type of cross-site scripting vulnerability that allows a malicious attacker to upload and permanently store harmful scripts on the server.

The following is how the non-profit Open Web Application Security Project (OWASP) defines Stored XSS vulnerabilities:

“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database….

The victim then retrieves the malicious script from the server when it requests the stored information.”

Checks for Privilege and Nonce are missing

The Jetpack security warning stated that the Smash Balloon Social Post Feed WordPress plugin had two security flaws that caused it to become a security risk. Checks for Privilege and Nonce were missing.

XSS attacks are common anywhere there is a way to upload or enter something into a WordPress site. It could be through a form, comments, or anywhere else a user can enter data.

A WordPress plugin is supposed to protect the site by performing checks, such as determining the level of privilege a user has (subscriber, editor, administrator).

Without a proper privilege check, a user at the lowest level, such as a subscriber, can perform actions that would normally necessitate the highest levels of access, such as administrator-level privileges.

A nonce is a one-time-use security token designed to protect inputs from attacks.

The following is an explanation of the value of nonces from the WordPress Nonce Documentation:

“If your theme allows users to submit data; be it in the Admin or the front-end; nonces can be used to verify a user intends to perform an action, and is instrumental in protecting against Cross-Site Request Forgery(CSRF).

An example is a WordPress site in which authorized users are allowed to upload videos.”

Jetpack discovered a flaw in the Smash Balloon plugin that failed to perform privilege and nonce checks, leaving the site vulnerable to attack.

Jetpack described how the vulnerability exposed websites in the following way:

“The wp_ajax_cff_save_settings AJAX action, which is responsible for updating the plugin’s inner settings, did not perform any privilege or nonce checks before doing so. This made it possible for any logged-in users to call this action and update any of the plugin’s settings.

Unfortunately, one of these settings, customJS, enables administrators to store custom JavaScript on their site’s posts and pages. Updating this setting is all it would’ve taken for a bad actor to store malicious scripts on the site.”

The Smash Balloon Social Post Feed WordPress plugin changelog, which details what each version update contains, correctly notes that a security issue was resolved.

It is not only responsible for fixing vulnerabilities in a timely manner, as Smash Balloon did, but it is also responsible for noting it on the changelog, as Smash Balloon did.

According to the changelog:

“Fix: Improved security hardening.”

The Stored XSS attack, which allows malicious scripts to be uploaded, has recently been fixed in Recommended Action Smash Balloon Social Post Feed.

Jetpack recommends updating the Smash Balloon Social Post Feed to the most recent version available at the time of writing, version 4.0.1. Failure to do so may render a WordPress installation dangerous.

Need help with our free SEO tools? Try our free Robots.txt Generator, Get Source Code of Webpage, Domain into IP.

Learn more from WordPress and read Thousands of Small Businesses are Getting Results with Digital Signage.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button