Connect with us


WordPress Facebook Feed Plugin Vulnerability Exposes 200,000+ Websites



Main Article Image

Smash Balloon Social Post Feed, a WordPress plugin, was discovered to have a vulnerability that exposed the websites to allowing an attacker to upload malicious scripts. Security researchers at Jetpack discovered the vulnerability and notified the plugin publishers who patched it and released a fixed version, version 4.0.1. Versions prior to that one are vulnerable.

Smash Balloon Social Post Feed

Smash Balloon Social Post Feed WordPress plugin takes Facebook feeds and turns them into posts on a WordPress site.

The free version of the plugin is designed to display Facebook posts in a way that matches the look and feel of the site the Facebook content is republished on. The paid “pro” version also republishes images, videos and comments.

Stored Cross‑Site Scripting via Arbitrary Setting Update

A Stored Cross‑Site Scripting exploit (Stored XSS) is a form of cross site scripting vulnerability that allows a malicious attacker to upload and permanently store harmful scripts on the server itself.

Thee non-profit Open Web Application Security Project (OWASP) describes Stored XSS vulnerabilities:

“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database….

The victim then retrieves the malicious script from the server when it requests the stored information.”

Privilege and Nonce Checks Missing

The security warning published by Jetpack announced that the Smash Balloon Social Post Feed WordPress plugin had two security issues that caused it to become a security problem. Privilege and Nonce checks were missing.

XSS attacks can typically happen wherever there is a way to upload or enter something to a WordPress site. It can be through a form, in comments, wherever a user can enter data.


A WordPress plugin is supposed to shield the site by performing checks, among them a check for what level of privilege a user has (subscriber, editor, administrator).

Without a proper privilege check a user at the lowest level, like a subscriber, is able to carry out actions that normally require the highest levels of access, such as administrator level privileges.

A nonce is a one-time use security token that is meant to shield inputs from attacks.

The WordPress Nonce Documentation explains the value of nonces:

“If your theme allows users to submit data; be it in the Admin or the front-end; nonces can be used to verify a user intends to perform an action, and is instrumental in protecting against Cross-Site Request Forgery(CSRF).

An example is a WordPress site in which authorized users are allowed to upload videos.”

Jetpack identified a vulnerability in the Smash Balloon plugin that failed to perform the privilege and nonce checks, which opened up the site to attack.

Jetpack described how the vulnerability exposed websites:

“The wp_ajax_cff_save_settings AJAX action, which is responsible for updating the plugin’s inner settings, did not perform any privilege or nonce checks before doing so. This made it possible for any logged-in users to call this action and update any of the plugin’s settings.

Unfortunately, one of these settings, customJS, enables administrators to store custom JavaScript on their site’s posts and pages. Updating this setting is all it would’ve taken for a bad actor to store malicious scripts on the site.”


The Smash Balloon Social Post Feed WordPress plugin changelog, which records what every version update contains, properly notes that a security problem was fixed.

Not only is it responsible to fix vulnerabilities in a timely manner, which Smash Balloon did, but it’s also responsible to note it on the changelog, which Smash Balloon also did.

The changelog states:

“Fix: Improved security hardening.”

Screenshot of Smash Balloon Social Post Feed Changelog

Screenshot of Smash Balloon Social Post Feed Plugin Changelog

Recommended Action

Smash Balloon Social Post Feed was recently patched to fix the Stored XSS attack that allows malicious scripts to be uploaded.

Jetpack recommends updating the Smash Balloon Social Post Feed to the latest version at this writing, which is version 4.0.1. Failure to do so may make a WordPress installation unsafe.


Jetpack Security Advisory

Security Issues Patched in Smash Balloon Social Post Feed Plugin

See also  Google Warns of Manual Actions for UGC Spam


Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster



Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.

Think of sites like “best TVs under $200″.com.

Goal is to improve the quality and usefulness of reviews we show users.”



Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.



Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.

So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.

…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?

My assumption was this was global and and across all languages.

But I don’t know what we announced in the blog post specifically.


But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.

I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.

But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.

And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.

So I’m not particularly surprised that you see changes in Germany.

But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.


One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.


Google Blog Post About Product Reviews Update

Product reviews update and your site

Google’s New Product Reviews Guidelines

Write high quality product reviews

John Mueller Discusses If Product Reviews Update Is Global

Watch Mueller answer the question at the 14:00 Minute Mark

[embedded content]

See also  Twitter Lets Users Schedule Tweets in Advance
Continue Reading

Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address