CVE-2026-12002 in Easy Social Feeds Plugin
Summary
by MITRE • 07/08/2026
The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybe_connection_data function. This makes it possible for unauthenticated attackers to overwrite the site's Instagram and Facebook oEmbed access tokens via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The Smash Balloon Social Photo Feed plugin for WordPress represents a widely used social media integration tool that enables websites to display content from various social platforms including Instagram and Facebook. This plugin has been identified with a critical cross-site request forgery vulnerability affecting all versions up to and including 6.11.1, creating a significant security risk for WordPress sites that utilize this functionality. The vulnerability stems from inadequate nonce validation within the maybe_connection_data function, which serves as a crucial security mechanism designed to prevent unauthorized requests from being processed.
The technical flaw manifests in the absence of proper nonce verification when processing connection data updates through the plugin's administrative interface. Nonces, or number used once, are cryptographic tokens that ensure requests originate from legitimate sources and have not been tampered with during transmission. When this validation is missing or incorrectly implemented, attackers can craft malicious requests that appear to come from authenticated administrators. The vulnerability specifically targets the oEmbed access token configuration process for Instagram and Facebook connections, allowing unauthorized modifications to critical authentication credentials without proper authorization.
The operational impact of this vulnerability extends beyond simple data manipulation as it provides attackers with persistent access to social media content integration capabilities. An unauthenticated attacker who successfully tricks a site administrator into clicking on a malicious link can overwrite the Instagram and Facebook oEmbed tokens, effectively compromising the website's ability to securely retrieve and display social media content. This creates a persistent threat vector where attackers can maintain unauthorized access to social media feeds while potentially gaining insights into social media engagement patterns or even using compromised credentials for additional attacks. The vulnerability undermines the principle of least privilege by allowing unauthorized token modifications that could enable broader access to social media accounts or content.
This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery issues in web applications, and relates to ATT&CK technique T1566.002 for credential access through social engineering attacks. The attack vector typically involves social engineering tactics where administrators are tricked into visiting malicious websites or clicking on compromised links that automatically submit forged requests to the vulnerable WordPress site. Organizations should immediately update to version 6.11.2 or later to address this vulnerability, as well as implement additional security measures such as monitoring for unauthorized configuration changes and ensuring proper user education regarding suspicious link clicking behavior.
Mitigation strategies include immediate patching of all affected installations, implementation of web application firewalls to detect and block suspicious requests, and regular security audits of plugin configurations. Administrators should also consider implementing additional authentication layers and monitoring access patterns to identify potential exploitation attempts. The vulnerability highlights the importance of proper input validation and nonce implementation in WordPress plugins, particularly those handling sensitive authentication data and external API connections. Organizations utilizing this plugin should conduct comprehensive security assessments to ensure no unauthorized modifications have occurred and establish robust incident response procedures for potential compromise scenarios.