Smash Balloon Social Post Feed, a WordPress plugin, was discovered to have a vulnerability that exposed the websites to allowing an attacker to upload malicious scripts. Security researchers at Jetpack discovered the vulnerability and notified the plugin publishers who patched it and released a fixed version, version 4.0.1. Versions prior to that one are vulnerable.
Smash Balloon Social Post Feed
Smash Balloon Social Post Feed WordPress plugin takes Facebook feeds and turns them into posts on a WordPress site.
The free version of the plugin is designed to display Facebook posts in a way that matches the look and feel of the site the Facebook content is republished on. The paid “pro” version also republishes images, videos and comments.
Stored Cross‑Site Scripting via Arbitrary Setting Update
A Stored Cross‑Site Scripting exploit (Stored XSS) is a form of cross site scripting vulnerability that allows a malicious attacker to upload and permanently store harmful scripts on the server itself.
Thee non-profit Open Web Application Security Project (OWASP) describes Stored XSS vulnerabilities:
“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database….
The victim then retrieves the malicious script from the server when it requests the stored information.”
Privilege and Nonce Checks Missing
The security warning published by Jetpack announced that the Smash Balloon Social Post Feed WordPress plugin had two security issues that caused it to become a security problem. Privilege and Nonce checks were missing.
XSS attacks can typically happen wherever there is a way to upload or enter something to a WordPress site. It can be through a form, in comments, wherever a user can enter data.
A WordPress plugin is supposed to shield the site by performing checks, among them a check for what level of privilege a user has (subscriber, editor, administrator).
Without a proper privilege check a user at the lowest level, like a subscriber, is able to carry out actions that normally require the highest levels of access, such as administrator level privileges.
A nonce is a one-time use security token that is meant to shield inputs from attacks.
The WordPress Nonce Documentation explains the value of nonces:
“If your theme allows users to submit data; be it in the Admin or the front-end; nonces can be used to verify a user intends to perform an action, and is instrumental in protecting against Cross-Site Request Forgery(CSRF).
An example is a WordPress site in which authorized users are allowed to upload videos.”
Jetpack identified a vulnerability in the Smash Balloon plugin that failed to perform the privilege and nonce checks, which opened up the site to attack.
Jetpack described how the vulnerability exposed websites:
“The wp_ajax_cff_save_settings AJAX action, which is responsible for updating the plugin’s inner settings, did not perform any privilege or nonce checks before doing so. This made it possible for any logged-in users to call this action and update any of the plugin’s settings.
The Smash Balloon Social Post Feed WordPress plugin changelog, which records what every version update contains, properly notes that a security problem was fixed.
Not only is it responsible to fix vulnerabilities in a timely manner, which Smash Balloon did, but it’s also responsible to note it on the changelog, which Smash Balloon also did.
The changelog states:
“Fix: Improved security hardening.”
Screenshot of Smash Balloon Social Post Feed Changelog
Smash Balloon Social Post Feed was recently patched to fix the Stored XSS attack that allows malicious scripts to be uploaded.
Jetpack recommends updating the Smash Balloon Social Post Feed to the latest version at this writing, which is version 4.0.1. Failure to do so may make a WordPress installation unsafe.
Jetpack Security Advisory
Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster
Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.
Google December 2021 Product Reviews Update
On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.
Our December 2021 product reviews update is now rolling out for English-language pages. It will take about three weeks to complete. We have also extended our advice for product review creators: https://t.co/N4rjJWoaqE
— Google Search Central (@googlesearchc) December 1, 2021
The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.
A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:
“Mainly relevant to sites that post articles reviewing products.
Think of sites like “best TVs under $200″.com.
Goal is to improve the quality and usefulness of reviews we show users.”
Continue Reading Below
Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.
The first best practice was a requirement of evidence that a product was actually handled and reviewed.
The second best practice was to provide links to more than one place that a user could purchase the product.
The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.
Google’s Mueller Thinking About Product Reviews Update
Product Review Update Targets More Languages?
The person asking the question was rightly under the impression that the product review update only affected English language search results.
Continue Reading Below
But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.
This is his question:
“I was seeing some movements in German search as well.
So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.
…My question is, is it possible that the product reviews update affects other sites as well?”
John Mueller answered:
“I don’t know… like other languages?
My assumption was this was global and and across all languages.
But I don’t know what we announced in the blog post specifically.
But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.
I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.
But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.
And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.
So I’m not particularly surprised that you see changes in Germany.
But I also don’t know what we actually announced with regards to the locations and languages that are involved.”
Does Product Reviews Update Affect More Languages?
While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.
Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.
One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.
It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.
Google Blog Post About Product Reviews Update
Google’s New Product Reviews Guidelines
John Mueller Discusses If Product Reviews Update Is Global
Watch Mueller answer the question at the 14:00 Minute Mark
Google Execs Share Vision & Strategy For Google Ads
Twitter Agrees to $150 Million Fine from the FTC Over Past Misuse of Users’ Personal Information
Daily Search Forum Recap: May 26, 2022
Minecraft The Wild Update Releasing June 7
YouTube Analytics Now Separates Data By Video Type
TikTok Shares New Insights into Effective Promotional Approaches in the App [Infographic]
Hootsuite joins TikTok’s Marketing Partner Program
3 changes coming to Google Ads audience features
TikTok Brings Account Management To Third-Party Tools
Google Ads Adds Audience Targeting & Reporting Features
LinkedIn Adds Live Captions for Audio Events, Custom URL Listings on Creator Profiles
Daily Search Forum Recap: May 2, 2022
Six Ways to Adjust Google Ads to Save Budget
How Does Google Multisearch Affect SEO?
How to Write the Perfect Page Title With SEO in Mind
Where To Invest In SEO For Maximum Impact
Google Says You Can Use Hashtags In Meta Descriptions
Google Testing New Ad Format With Swipeable Images In A Carousel
Google Search Console URL Parameter Tool Is Now Offline
What’s A Good Cost Per Acquisition (CPA)? Ask The PPC
SEO3 days ago
Google Unveils New Ads Manager Tools For Video Ads
MARKETING4 days ago
50 Video Marketing Statistics to Inform Your 2022 Strategy [New Data]
SEARCHENGINES6 days ago
Google Displays Out Of Stock For Items Using Back Order Value In Structured Data
MARKETING6 days ago
How To Increase Conversion Rate For Your eCommerce Store