CVE-2021-24918: 
WordPress vulnerability analysis and mitigation

The Smash Balloon Social Post Feed WordPress plugin (also known as Custom Facebook Feed) before version 4.0.1 contained a security vulnerability identified as CVE-2021-24918. The vulnerability was discovered during an internal audit and affected sensitive AJAX endpoints that were accessible to any users with an account on the vulnerable site (Jetpack Blog).

The vulnerability stemmed from the wpajaxcffsavesettings AJAX action, which lacked proper privilege or nonce validation before saving the plugin's settings. The vulnerability was classified as a Stored Cross-Site Scripting (XSS) issue with a CVSSv3.1 score of 7.3 (high) and a CWSS score of 80.6. The security flaw was categorized under CWE-284 (Access Controls) and was considered an A5: Broken Access Control issue according to the OWASP Top 10 classification (WPScan).

The vulnerability allowed any authenticated user, including subscribers, to update plugin settings and store malicious JavaScript code on every post and page of the affected site. If an administrator visited an affected URL, the malicious script could execute administrative actions on their behalf, potentially leading to unauthorized administrator account creation and rogue plugin installation (Jetpack Blog).

The vulnerability was patched in version 4.0.1 of the Smash Balloon Social Post Feed plugin, released on October 21, 2021. Site administrators were strongly advised to update to this version or later to protect their sites. Additionally, implementing a comprehensive security solution like Jetpack Security was recommended as an additional protective measure (Jetpack Blog).