### [CVE-2021-24508](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24508)
![](https://img.shields.io/static/v1?label=Product&message=Smash%20Balloon%20Social%20Post%20Feed&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=2.19.2%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%20Cross-site%20Scripting%20(XSS)&color=brightgreen)

### Description

The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator.

### POC

#### Reference
- https://wpscan.com/vulnerability/2b543740-d4b0-49b5-a021-454a3a72162f

#### Github
- https://github.com/20142995/nuclei-templates