CVE-2021-24508: 
WordPress vulnerability analysis and mitigation

The Smash Balloon Social Post Feed WordPress plugin before version 2.19.2 contains an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24508. The vulnerability was discovered and publicly disclosed on August 16, 2021. This security flaw affects the custom-facebook-feed plugin and has been assigned a critical CVSS score of 9.6 (WPScan).

The vulnerability exists in the feed_locator AJAX action where the plugin fails to properly sanitize or escape the feedID POST parameter. When this parameter is processed, a truncated version of it is output in the admin dashboard without proper security controls. The exploit has specific requirements: the payload size must be limited to 31 characters, the feedID parameter length must exceed 31 characters to trigger the unescaped data output, and the shortCodeAtts parameter value must be unique (WPScan).

When successfully exploited, this vulnerability allows both authenticated and unauthenticated users to store and execute malicious JavaScript code in the context of a logged-in administrator. This could potentially lead to complete site compromise as the code executes with administrator privileges (WPScan).

The vulnerability has been patched in version 2.19.2 of the Smash Balloon Social Post Feed plugin. Users are strongly advised to update to this version or later to protect their WordPress installations (WPScan).