Stored Cross-Site Scripting via `data-plugin` Attribute
A security flaw in the plugin allows a user with at least “Contributor” privileges (i.e. authenticated but not admin) to inject arbitrary JavaScript into site pages via the plugin’s data-plugin attribute.
This vulnerability affects the following application versions:
- Smash Balloon Social Photo Feed 6.1.3
- Smash Balloon Social Photo Feed 6.1.4
- Smash Balloon Social Photo Feed 6.1.5
- Smash Balloon Social Photo Feed 6.1.6
- Smash Balloon Social Photo Feed 6.2
- Smash Balloon Social Photo Feed 6.2.1
- Smash Balloon Social Photo Feed 6.2.2
- Smash Balloon Social Photo Feed 6.2.3
- Smash Balloon Social Photo Feed 6.2.4
- Smash Balloon Social Photo Feed 6.2.5
- Smash Balloon Social Photo Feed 6.2.6
- Smash Balloon Social Photo Feed 6.2.7
- Smash Balloon Social Photo Feed 6.2.8
- Smash Balloon Social Photo Feed 6.2.9
- Smash Balloon Social Photo Feed 6.2.10
- Smash Balloon Social Photo Feed 6.3
- Smash Balloon Social Photo Feed 6.3.1
- Smash Balloon Social Photo Feed 6.4
- Smash Balloon Social Photo Feed 6.4.1
- Smash Balloon Social Photo Feed 6.4.2
- Smash Balloon Social Photo Feed 6.4.3
- Smash Balloon Social Photo Feed 6.5.0
- Smash Balloon Social Photo Feed 6.5.1
- Smash Balloon Social Photo Feed 6.6.0
- Smash Balloon Social Photo Feed 6.6.1
- Smash Balloon Social Photo Feed 6.7.0
- Smash Balloon Social Photo Feed 6.7.1
- Smash Balloon Social Photo Feed 6.8.0
- Smash Balloon Social Photo Feed 6.9.0