Customizable, responsive, and search engine crawlable WordPress plugin, Custom Facebook Feed had vulnerable endpoints that were accessible to any users with accounts in the vulnerable website. Some of these endpoints could’ve been utilized by the possible attackers to do Stored Cross-Site Scripting (known as persistent XSS or second-order) attacks.
The issues were discovered during the internal audit of the Custom Facebook Feed plugin. The main vulnerability was the endpoints that allowed XSS attacks. Successful utilization of an XSS exploitation could result in giving the attackers authorization to store malicious scripts on every page and section of the vulnerable site. In an event of an administrator logging into their accounts in a compromised site could result in attackers gain administrative privileges and use the permissions on their behalf.
Recently released 4.0.1 update addresses these problems. If you’re using the Custom Facebook Feed plugin and didn’t update yours yet, we strongly advise updating as soon as possible to be safe from these security issues. Jetpack, the WordPress site security provider has discovered and reported this security issue. Here’s a word from them regarding this topic,
“We recommend that you check which version of the Smash Balloon Social Post Feed plugin your site is using, and if it is less than 4.0.1, update it as soon as possible! At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.”