Cross-Site Request Forgery Vulnerability in Smash Balloon Social Photo Feed Plugin for WordPress
CVE-2026-12002

4.7MEDIUM

What is CVE-2026-12002?

The Smash Balloon Social Photo Feed plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in the maybe_connection_data function. This vulnerability allows attackers to exploit the plugin by tricking site administrators into clicking a malicious link, subsequently allowing unauthorized modification of Instagram and Facebook oEmbed access tokens without proper authentication.

Affected Version(s)

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin 0 <= 6.11.1

References

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

normaandersonfrank
.