{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4583", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-12T13:21:22.770Z", "datePublished": "2025-05-29T04:23:08.202Z", "dateUpdated": "2026-04-08T16:42:06.576Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:06.576Z"}, "affected": [{"vendor": "https://profiles.wordpress.org/smub/", "product": "Smash Balloon Instagram Feed Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "smub", "product": "Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 (Free) and 6.8.0 (Pro) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Smash Balloon Instagram Feed <= 6.9.0 (Free) & <= 6.8.0 (Pro) - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-plugin` Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23e47daa-79e7-4ed3-a88a-0f090e9aa277?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/instagram-feed/tags/6.9.0/js/sb-instagram-admin-6.js#L428"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-05-11T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-05-28T16:22:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-29T13:17:41.889844Z", "id": "CVE-2025-4583", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-29T13:17:48.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4583", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-29T13:17:41.889844Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-29T13:17:45.471Z"}}], "cna": {"title": "Smash Balloon Instagram Feed <= 6.9.0 (Free) & <= 6.8.0 (Pro) - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-plugin` Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "https://profiles.wordpress.org/smub/", "product": "Smash Balloon Instagram Feed Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.8.0"}], "defaultStatus": "unaffected"}, {"vendor": "smub", "product": "Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.9.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-11T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-05-28T16:22:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23e47daa-79e7-4ed3-a88a-0f090e9aa277?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/instagram-feed/tags/6.9.0/js/sb-instagram-admin-6.js#L428"}], "descriptions": [{"lang": "en", "value": "The Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 (Free) and 6.8.0 (Pro) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:06.576Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4583", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:06.576Z", "dateReserved": "2025-05-12T13:21:22.770Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-29T04:23:08.202Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 (Free) and 6.8.0 (Pro) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Smash Balloon Social Photo Feed \u2013 Easy Social Feeds para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del atributo `data-plugin` en todas las versiones hasta la 6.9.0 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4583", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-29T05:15:21.190", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/instagram-feed/tags/6.9.0/js/sb-instagram-admin-6.js#L428"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23e47daa-79e7-4ed3-a88a-0f090e9aa277?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:54:43.739714+00:00", "value": {"mitigation_remediation": ["Upgrade Smash Balloon Instagram Feed plugin to the latest available version (>=6.9.1 for Free, >=6.8.1 for Pro) where the data\u2011plugin attribute has been properly sanitized.", "If you no longer rely on the plugin or the latest version is incompatible, remove or deactivate it entirely to eliminate the attack surface.", "Revoke or reduce Contributor\u2011level access for users who do not need to edit plugin settings, limiting the pool of potential attackers."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vendors and products affected include Smash Balloon\u2019s Instagram Feed Free and Pro plugins. All installations of the Free plugin version 6.9.0 or earlier, and the Pro plugin version 6.8.0 or earlier, on WordPress sites are vulnerable. Any WordPress owner who has these plugin versions installed and who has users with Contributor\u2011level or higher privileges is at risk.", "description_and_impact": "The Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin contains a stored cross\u2011site scripting flaw. The vulnerability resides in the data\u2011plugin attribute, which is not sanitized or escaped when saved. An authenticated Contributor or higher can inject arbitrary JavaScript that will run in the browsers of any user who views a page where the plugin renders. The attack allows the execution of malicious scripts, potentially leading to defacement, theft of session cookies, or further intrusion, as defined by CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates a moderate severity. The EPSS score of less than 1 percent shows a low probability of observed exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, successful exploitation requires an account with Contributor role or higher, which is commonly granted to content editors. The attacker can inject scripts into the data\u2011plugin attribute, which will execute automatically when other users load affected pages, providing a persistence mechanism. Given the moderate score and low exploitation probability, site administrators should treat this as a medium\u2011risk threat that warrants timely remediation."}}}}, "created": "2026-04-22T15:00:05.626744+00:00", "updated": "2026-04-22T15:00:05.626791+00:00", "vendors": []}