WP-Safety

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Security & Risk Analysis

wordpress.org/plugins/custom-facebook-feed

Formerly "Custom Facebook Feed". Display completely customizable Facebook feeds of a Facebook page. Supports Facebook oEmbeds.

200K active installs v4.7.6 PHP 7.4+ WP 4.1+ Updated Mar 12, 2026
facebookfacebook-accountfacebook-feedfacebook-pagefacebook-posts
96
A · Safe
CVEs total8
Unpatched0
Last CVEOct 9, 2025
Plugin page Download
Safety Verdict

Is Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Safe to Use in 2026?

Generally Safe

Score 96/100

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

8 known CVEsLast CVE: Oct 9, 2025Updated 2mo ago
Risk Assessment

The "custom-facebook-feed" v4.7.6 plugin exhibits a mixed security posture. While it demonstrates good practices like a significant number of nonce and capability checks, and a reasonable percentage of SQL queries using prepared statements and proper output escaping, there are several concerning areas. The presence of 3 AJAX handlers without authentication checks is a significant risk, creating direct entry points for potential attackers. Furthermore, the taint analysis revealed 5 high-severity flows with unsanitized paths, indicating potential for vulnerability if these flows are exposed to user input. The plugin's vulnerability history, with 8 known medium-severity CVEs across common types like missing authorization and cross-site scripting, suggests a recurring pattern of security weaknesses that require ongoing attention and vigilance. While the current version has no unpatched CVEs and the latest vulnerability was in the future (likely a typo and referring to a past date), this history warrants caution. Overall, the plugin has strengths in its implemented checks, but the identified unprotected entry points and high-severity taint flows, coupled with past vulnerability trends, necessitate careful monitoring and prompt patching of any future disclosures.

Key Concerns

  • Unprotected AJAX handlers present
  • High severity taint flows with unsanitized paths
  • Multiple past medium severity CVEs
Vulnerabilities
8 published

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Security Vulnerabilities

CVEs by Year

4 CVEs in 2021
2021
1 CVE in 2022
2022
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
8

8 total CVEs

CVE-2025-49937medium · 4.3Missing Authorization

Smash Balloon Social Post Feed <= 4.3.2 - Missing Authorization

Oct 9, 2025 Patched in 4.3.3 (21d)
CVE-2025-4577medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Custom Facebook Feed <= 4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-color` Attribute

Jun 9, 2025 Patched in 4.3.2 (1d)
CVE-2024-31379medium · 4.3Cross-Site Request Forgery (CSRF)

Smash Balloon Social Post Feed <= 4.2.1 - Cross-Site Request Forgery

Apr 10, 2024 Patched in 4.2.2 (7d)
CVE-2022-4477medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Post Feed <= 4.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 20, 2022 Patched in 4.1.6 (399d)
CVE-2021-25065medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Post Feed <= 4.1 - Reflected Cross-Site Scripting

Dec 16, 2021 Patched in 4.1.1 (768d)
CVE-2021-24918medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Post Feed <= 4.0 - Arbitrary Plugin Settings Update to Stored Cross-Site Scripting

Oct 29, 2021 Patched in 4.0.1 (816d)
CVE-2021-24508medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Post Feed <= 2.19.1 - Unauthenticated Stored Cross-Site Scripting

Aug 16, 2021 Patched in 2.19.2 (890d)
WF-0efff314-b14f-4af4-b225-ba7e41d01b2e-custom-facebook-feedmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Plugins (Various Versions) - Reflected Cross-Site Scripting

Jul 20, 2021 Patched in 2.19.2 (917d)
Version History

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Release Timeline

v4.7.6Current229 files changed
v4.7.5181 files changed
v4.3.416 files changed
v4.3.322 files changed
v4.3.21 CVE4 files changed
CVE-2025-49937
v4.3.12 CVEs16 files changed
CVE-2025-49937 CVE-2025-4577
v4.3.02 CVEs83 files changed
CVE-2025-49937 CVE-2025-4577
v4.2.62 CVEs123 files changed
CVE-2025-49937 CVE-2025-4577
v4.2.52 CVEs39 files changed
CVE-2025-49937 CVE-2025-4577
v4.2.42 CVEs101 files changed
CVE-2025-49937 CVE-2025-4577
v4.2.32 CVEs19 files changed
CVE-2025-49937 CVE-2025-4577
v4.2.22 CVEs61 files changed
CVE-2025-49937 CVE-2025-4577
v4.2.13 CVEs87 files changed
CVE-2024-31379 CVE-2025-49937 CVE-2025-4577
v4.23 CVEs55 files changed
CVE-2024-31379 CVE-2025-49937 CVE-2025-4577
v4.1.93 CVEs35 files changed
CVE-2024-31379 CVE-2025-49937 CVE-2025-4577
v4.1.83 CVEs5 files changed
CVE-2024-31379 CVE-2025-49937 CVE-2025-4577
v4.1.73 CVEs14 files changed
CVE-2024-31379 CVE-2025-49937 CVE-2025-4577
v4.1.63 CVEs11 files changed
CVE-2024-31379 CVE-2025-49937 CVE-2025-4577
v4.1.54 CVEs8 files changed
CVE-2022-4477 CVE-2024-31379 CVE-2025-49937 +1 more
v4.1.44 CVEs
CVE-2022-4477 CVE-2024-31379 CVE-2025-49937 +1 more
Code Analysis
Analyzed Mar 16, 2026

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
70
86 prepared
Unescaped Output
262
487 escaped
Nonce Checks
60
Capability Checks
141
File Operations
9
External Requests
13
Bundled Libraries
0

SQL Query Safety

55% prepared156 total queries

Output Escaping

65% escaped749 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

20 flows6 with unsanitized paths
<support-tools> (admin\views\support\support-tools.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Attack Surface

Entry Points55
Unprotected3

AJAX Handlers 54

authwp_ajax_cff_deactivate_addonadmin\addon-functions.php:40
authwp_ajax_cff_activate_addonadmin\addon-functions.php:77
authwp_ajax_cff_install_addonadmin\addon-functions.php:181
authwp_ajax_cff_lite_dismissadmin\admin-functions.php:61
authwp_ajax_cff_oembed_disableadmin\admin-functions.php:314
authwp_ajax_cff_dismiss_custom_cssjs_noticeadmin\admin-functions.php:377
authwp_ajax_cff_ppca_token_check_flagadmin\admin-functions.php:398
authwp_ajax_cff_ppca_token_check_flagadmin\enqueu-script.php:34
authwp_ajax_cff_review_notice_dismissinc\Admin\CFF_Admin_Notices.php:36
authwp_ajax_cff_save_settingsinc\Admin\CFF_Global_Settings.php:73
authwp_ajax_cff_activate_licenseinc\Admin\CFF_Global_Settings.php:74
authwp_ajax_cff_deactivate_licenseinc\Admin\CFF_Global_Settings.php:75
authwp_ajax_cff_activate_extension_licenseinc\Admin\CFF_Global_Settings.php:76
authwp_ajax_cff_deactivate_extension_licenseinc\Admin\CFF_Global_Settings.php:77
authwp_ajax_cff_test_connectioninc\Admin\CFF_Global_Settings.php:78
authwp_ajax_cff_import_settings_jsoninc\Admin\CFF_Global_Settings.php:79
authwp_ajax_cff_export_settings_jsoninc\Admin\CFF_Global_Settings.php:80
authwp_ajax_cff_clear_cacheinc\Admin\CFF_Global_Settings.php:81
authwp_ajax_cff_clear_image_resize_cacheinc\Admin\CFF_Global_Settings.php:82
authwp_ajax_cff_dpa_resetinc\Admin\CFF_Global_Settings.php:83
authwp_ajax_cff_review_notice_consent_updateinc\Admin\CFF_New_User.php:42
authwp_ajax_cff_dashboard_notification_dismissinc\Admin\CFF_Notifications.php:96
authwp_ajax_cff_dismiss_upgrade_noticeinc\Admin\CFF_Notifications.php:99
authwp_ajax_disable_facebook_oembedinc\Admin\CFF_oEmbeds.php:53
authwp_ajax_disable_instagram_oembedinc\Admin\CFF_oEmbeds.php:54
authwp_ajax_cff_feed_saver_manager_process_wizardinc\Admin\CFF_Onboarding_Wizard.php:53
authwp_ajax_cff_feed_saver_manager_dismiss_wizardinc\Admin\CFF_Onboarding_Wizard.php:54
authwp_ajax_cff_export_settings_jsoninc\Admin\CFF_Support.php:58
authwp_ajax_cff_create_temp_userinc\Admin\CFF_Support_Tool.php:99
authwp_ajax_cff_delete_temp_userinc\Admin\CFF_Support_Tool.php:100
authwp_ajax_cff_usage_opt_in_or_outinc\Admin\CFF_Tracking.php:34
noprivwp_ajax_cff_run_one_click_upgradeinc\Admin\CFF_Upgrader.php:50
authwp_ajax_cff_maybe_upgrade_redirectinc\Admin\CFF_Upgrader.php:51
authwp_ajax_cff_feed_saver_manager_builder_updateinc\Builder\CFF_Feed_Saver_Manager.php:24
authwp_ajax_cff_feed_saver_manager_get_feed_settingsinc\Builder\CFF_Feed_Saver_Manager.php:25
authwp_ajax_cff_feed_saver_manager_get_feed_list_pageinc\Builder\CFF_Feed_Saver_Manager.php:26
authwp_ajax_cff_feed_saver_manager_get_locations_pageinc\Builder\CFF_Feed_Saver_Manager.php:27
authwp_ajax_cff_feed_saver_manager_delete_feedsinc\Builder\CFF_Feed_Saver_Manager.php:28
authwp_ajax_cff_feed_saver_manager_duplicate_feedinc\Builder\CFF_Feed_Saver_Manager.php:29
authwp_ajax_cff_feed_saver_manager_clear_single_feed_cacheinc\Builder\CFF_Feed_Saver_Manager.php:30
authwp_ajax_cff_feed_saver_manager_importerinc\Builder\CFF_Feed_Saver_Manager.php:31
authwp_ajax_cff_feed_saver_manager_fly_previewinc\Builder\CFF_Feed_Saver_Manager.php:32
authwp_ajax_cff_feed_saver_manager_retrieve_commentsinc\Builder\CFF_Feed_Saver_Manager.php:33
authwp_ajax_cff_feed_saver_manager_delete_sourceinc\Builder\CFF_Feed_Saver_Manager.php:34
authwp_ajax_cff_source_builder_updateinc\Builder\CFF_Source.php:29
authwp_ajax_cff_source_builder_update_multipleinc\Builder\CFF_Source.php:30
authwp_ajax_cff_source_get_pageinc\Builder\CFF_Source.php:31
authwp_ajax_cff_source_get_featured_post_previewinc\Builder\CFF_Source.php:32
authwp_ajax_cff_source_get_playlist_post_previewinc\Builder\CFF_Source.php:33
authwp_ajax_cff_dismiss_critical_noticeinc\CFF_Error_Reporter.php:69
authwp_ajax_feed_locatorinc\Custom_Facebook_Feed.php:354
noprivwp_ajax_feed_locatorinc\Custom_Facebook_Feed.php:355
authwp_ajax_sb_facebookfeed_divi_previewinc\Integrations\Divi\CFF_Divi_Handler.php:74
authwp_ajax_cff_reset_unused_feed_usageinc\Platform_Data.php:67

Shortcodes 1

[custom-facebook-feed] inc\CFF_Shortcode.php:71
WordPress Hooks 89
actiongroup_post_scheduler_cronadmin\admin-functions.php:11
actionadmin_initadmin\admin-functions.php:64
actioncff_cron_jobadmin\admin-functions.php:144
actionadmin_print_scriptsadmin\admin-functions.php:253
actionin_admin_headeradmin\admin-functions.php:260
actionadmin_initadmin\admin-functions.php:285
actionadmin_noticesadmin\admin-functions.php:359
actioncff_admin_noticesadmin\admin-functions.php:360
actioninitadmin\admin-functions.php:489
actionadmin_enqueue_scriptsadmin\enqueu-script.php:36
actionadmin_noticescustom-facebook-feed.php:128
actionadmin_menuinc\Admin\CFF_About_Us.php:50
actionadmin_menuinc\Admin\CFF_Admin.php:42
actionadmin_enqueue_scriptsinc\Admin\CFF_Admin.php:157
actionadmin_enqueue_scriptsinc\Admin\CFF_Admin.php:158
actioncff_admin_noticesinc\Admin\CFF_Admin_Notices.php:34
actionadmin_noticesinc\Admin\CFF_Admin_Notices.php:35
actionwp_enqueue_scriptsinc\Admin\CFF_Callout.php:67
actionadmin_enqueue_scriptsinc\Admin\CFF_Callout.php:68
actionwp_dashboard_setupinc\Admin\CFF_Callout.php:69
actionadmin_menuinc\Admin\CFF_Global_Settings.php:70
filteradmin_footer_textinc\Admin\CFF_Global_Settings.php:71
filterupdate_footerinc\Admin\CFF_Global_Settings.php:806
actionadmin_noticesinc\Admin\CFF_New_User.php:39
actionadmin_initinc\Admin\CFF_New_User.php:41
actionadmin_enqueue_scriptsinc\Admin\CFF_Notifications.php:89
actioncff_admin_noticesinc\Admin\CFF_Notifications.php:91
actioncff_notification_updateinc\Admin\CFF_Notifications.php:94
actioncff_header_noticesinc\Admin\CFF_Notifications.php:98
actionadmin_menuinc\Admin\CFF_oEmbeds.php:51
actionadmin_menuinc\Admin\CFF_Onboarding_Wizard.php:42
actionadmin_menuinc\Admin\CFF_Support.php:57
actionadmin_menuinc\Admin\CFF_Support_Tool.php:86
actionadmin_footerinc\Admin\CFF_Support_Tool.php:87
actioninitinc\Admin\CFF_Tracking.php:30
filtercron_schedulesinc\Admin\CFF_Tracking.php:31
actioncff_usage_tracking_croninc\Admin\CFF_Tracking.php:32
actioncff_admin_noticesinc\Admin\CFF_Tracking.php:33
actionadmin_initinc\Builder\CFF_Source.php:34
actionadmin_enqueue_scriptsinc\Builder\CFF_Tooltip_Wizard.php:55
actionadmin_footerinc\Builder\CFF_Tooltip_Wizard.php:56
actioninitinc\CFF_Blocks.php:50
actionenqueue_block_editor_assetsinc\CFF_Blocks.php:51
filterblock_categories_allinc\CFF_Blocks.php:57
actioninitinc\CFF_Blocks.php:58
actionenqueue_block_editor_assetsinc\CFF_Blocks.php:59
actionenqueue_block_editor_assetsinc\CFF_Blocks.php:60
actionelementor/frontend/after_register_scriptsinc\CFF_Elementor_Base.php:28
actionelementor/frontend/after_register_stylesinc\CFF_Elementor_Base.php:29
actionelementor/frontend/after_enqueue_stylesinc\CFF_Elementor_Base.php:30
actionelementor/controls/controls_registeredinc\CFF_Elementor_Base.php:31
actionelementor/widgets/widgets_registeredinc\CFF_Elementor_Base.php:32
actionelementor/initinc\CFF_Elementor_Base.php:33
actioncff_feed_issue_emailinc\CFF_Error_Reporter.php:68
actionwp_footerinc\CFF_Error_Reporter.php:70
actioncff_admin_noticesinc\CFF_Error_Reporter.php:71
actioncff_admin_noticesinc\CFF_Error_Reporter.php:72
actioncff_admin_noticesinc\CFF_Error_Reporter.php:73
actioncff_admin_noticesinc\CFF_Error_Reporter.php:74
filterwt_cli_third_party_scriptsinc\CFF_GDPR_Integrations.php:28
actioninitinc\CFF_Oembed.php:32
actionadmin_initinc\CFF_Oembed.php:33
filteroembed_providersinc\CFF_Oembed.php:35
filteroembed_fetch_urlinc\CFF_Oembed.php:36
filteroembed_resultinc\CFF_Oembed.php:37
filteroembed_ttlinc\CFF_Oembed.php:40
filtersite_status_testsinc\CFF_SiteHealth.php:44
actioninitinc\Custom_Facebook_Feed.php:342
actionplugins_loadedinc\Custom_Facebook_Feed.php:343
actionwp_loadedinc\Custom_Facebook_Feed.php:347
actionwp_footerinc\Custom_Facebook_Feed.php:349
filtercron_schedulesinc\Custom_Facebook_Feed.php:351
filterwidget_textinc\Custom_Facebook_Feed.php:352
actionadmin_initinc\Custom_Facebook_Feed.php:361
actionwp_footerinc\Custom_Facebook_Feed.php:362
actionwp_enqueue_scriptsinc\Custom_Facebook_Feed.php:476
actionwp_enqueue_scriptsinc\Custom_Facebook_Feed.php:477
filtersb_analytics_filter_top_postsinc\Integrations\Analytics\SB_Analytics.php:43
filtersb_analytics_filter_profile_detailsinc\Integrations\Analytics\SB_Analytics.php:51
filtersb_analytics_filter_feed_listinc\Integrations\Analytics\SB_Analytics.php:59
actionet_builder_readyinc\Integrations\Divi\CFF_Divi_Handler.php:71
actionwp_enqueue_scriptsinc\Integrations\Divi\CFF_Divi_Handler.php:78
actioncff_api_connect_responseinc\Platform_Data.php:61
actioncff_before_display_facebookinc\Platform_Data.php:62
actioncff_app_permission_revokedinc\Platform_Data.php:63
actioncff_before_delete_old_datainc\Platform_Data.php:64
actioncff_before_display_facebookinc\SB_Facebook_Data_Manager.php:48
actioncff_before_display_facebookinc\SB_Facebook_Data_Manager.php:49
actionsb_facebook_twicedailyinc\SB_Facebook_Data_Manager.php:50

Scheduled Events 10

cff_cron_job
cff_cache_cron
cff_usage_tracking_cron
group_post_scheduler_cron
group_post_scheduler_cron
cff_feed_issue_email
cff_feed_issue_email
cff_notification_update
cff_cron_job
cff_notification_update
Maintenance & Trust

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads8.9M

Community Trust

Rating94/100
Number of ratings1,502
Active installs200K
Alternatives

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Alternatives

Mitsol Social Post Feed

Mitsol Social Post Feed

facebook-wall-and-social-integration

A
100

Formerly known as Facebook wall and social integration allows you to display completely customizable Facebook feed of any public Facebook page or grou &hellip;

200 1 CVE
Mirror App – Social Page

Mirror App – Social Page

mirror-app-social-page

A
100

Display your social page updates — including your full Facebook Feed with posts, photos, and videos — beautifully on your WordPress site using a simpl &hellip;

0 No CVEs
Easy Social Feed – Social Photos Gallery and Post Feed for WordPress

Easy Social Feed – Social Photos Gallery and Post Feed for WordPress

easy-facebook-likebox

A
96

Display Instagram, Facebook & YouTube feeds with photos, videos, reels, events & galleries. Fast, responsive & easy to set up.

30K 10 CVEs
Mongoose Page Plugin

Mongoose Page Plugin

facebook-page-feed-graph-api

A
100

The most popular way to display the Facebook Page Plugin on your WordPress website. Easy implementation using a shortcode or widget.

10K 1 CVE
Social Feed for WordPress by CompyGo

Social Feed for WordPress by CompyGo

compygo-social-feed

A
85

Display completely customizable Facebook Feed on your WordPress website. Also it supports Instagram photos and Youtube videos.

20 No CVEs
Developer Profile

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
752 days
View full developer profile
Detection Fingerprints

How We Detect Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/custom-facebook-feed/admin/assets/css/cff-admin-style.css/wp-content/plugins/custom-facebook-feed/admin/assets/js/cff-admin-scripts.js/wp-content/plugins/custom-facebook-feed/admin/enqueu-script.php/wp-content/plugins/custom-facebook-feed/inc/Custom_Facebook_Feed.php
Script Paths
https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css
Version Parameters
custom-facebook-feed/admin/assets/css/cff-admin-style.css?ver=custom-facebook-feed/admin/assets/js/cff-admin-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
cff_facebook_feed_locatorcff-feed-wrap
HTML Comments
<!-- Custom Facebook Feed -->
Data Attributes
data-cff-id
JS Globals
cffA
Shortcode Output
[custom-facebook-feed
FAQ

Frequently Asked Questions about Smash Balloon Social Post Feed – Simple Social Feeds for WordPress