Cross-Site Request Forgery Vulnerability in Smash Balloon Social Photo Feed Plugin for WordPress
CVE-2026-12002
4.7MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 8 July 2026
What is CVE-2026-12002?
The Smash Balloon Social Photo Feed plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in the maybe_connection_data function. This vulnerability allows attackers to exploit the plugin by tricking site administrators into clicking a malicious link, subsequently allowing unauthorized modification of Instagram and Facebook oEmbed access tokens without proper authentication.
Affected Version(s)
Smash Balloon Social Photo Feed β Easy Social Feeds Plugin 0 <= 6.11.1