Does Smash Balloon Social Post Feed – Simple Social Feeds for WordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in Smash Balloon Social Post Feed – Simple Social Feeds for WordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Smash Balloon Social Post Feed – Simple Social Feeds for WordPress compatible with WordPress 6.9.4?

According to WordPress.org data, Smash Balloon Social Post Feed – Simple Social Feeds for WordPress 4.7.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Security & Risk Analysis

wordpress.org/plugins/custom-facebook-feed

Formerly "Custom Facebook Feed". Display completely customizable Facebook feeds of a Facebook page. Supports Facebook oEmbeds.

200K active installs v4.7.6 PHP 7.4+ WP 4.1+ Updated Mar 12, 2026

facebookfacebook-accountfacebook-feedfacebook-pagefacebook-posts

A · Safe

CVEs total8

Unpatched0

Last CVEOct 9, 2025

Plugin page Download

Safety Verdict

Is Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Safe to Use in 2026?

Generally Safe

Score 95/100

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Oct 9, 2025Updated 21d ago

Risk Assessment

The "custom-facebook-feed" v4.7.6 plugin exhibits a mixed security posture. While it demonstrates good practices like a significant number of nonce and capability checks, and a reasonable percentage of SQL queries using prepared statements and proper output escaping, there are several concerning areas. The presence of 3 AJAX handlers without authentication checks is a significant risk, creating direct entry points for potential attackers. Furthermore, the taint analysis revealed 5 high-severity flows with unsanitized paths, indicating potential for vulnerability if these flows are exposed to user input. The plugin's vulnerability history, with 8 known medium-severity CVEs across common types like missing authorization and cross-site scripting, suggests a recurring pattern of security weaknesses that require ongoing attention and vigilance. While the current version has no unpatched CVEs and the latest vulnerability was in the future (likely a typo and referring to a past date), this history warrants caution. Overall, the plugin has strengths in its implemented checks, but the identified unprotected entry points and high-severity taint flows, coupled with past vulnerability trends, necessitate careful monitoring and prompt patching of any future disclosures.

Key Concerns

Unprotected AJAX handlers present
High severity taint flows with unsanitized paths
Multiple past medium severity CVEs

Vulnerabilities

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Security Vulnerabilities

CVEs by Year

4 CVEs in 2021

2021

1 CVE in 2022

2022

1 CVE in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

8 total CVEs

CVE-2025-49937medium · 4.3Missing Authorization

Smash Balloon Social Post Feed <= 4.3.2 - Missing Authorization

Oct 9, 2025 Patched in 4.3.3 (21d)

CVE-2025-4577medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Custom Facebook Feed <= 4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-color` Attribute

Jun 9, 2025 Patched in 4.3.2 (1d)

CVE-2024-31379medium · 4.3Cross-Site Request Forgery (CSRF)

Smash Balloon Social Post Feed <= 4.2.1 - Cross-Site Request Forgery

Apr 10, 2024 Patched in 4.2.2 (7d)

CVE-2022-4477medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Post Feed <= 4.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 20, 2022 Patched in 4.1.6 (399d)

CVE-2021-25065medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Post Feed <= 4.1 - Reflected Cross-Site Scripting

Dec 16, 2021 Patched in 4.1.1 (768d)

CVE-2021-24918medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Post Feed <= 4.0 - Arbitrary Plugin Settings Update to Stored Cross-Site Scripting

Oct 29, 2021 Patched in 4.0.1 (816d)

CVE-2021-24508medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Post Feed <= 2.19.1 - Unauthenticated Stored Cross-Site Scripting

Aug 16, 2021 Patched in 2.19.2 (890d)

WF-0efff314-b14f-4af4-b225-ba7e41d01b2e-custom-facebook-feedmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Plugins (Various Versions) - Reflected Cross-Site Scripting

Jul 20, 2021 Patched in 2.19.2 (917d)

Code Analysis

Analyzed Mar 16, 2026

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

86 prepared

Unescaped Output

262

487 escaped

Nonce Checks

Capability Checks

141

File Operations

External Requests

Bundled Libraries

SQL Query Safety

55% prepared156 total queries

Output Escaping

65% escaped749 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

20 flows6 with unsanitized paths

<support-tools> (admin\views\support\support-tools.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Attack Surface

Entry Points55

Unprotected3

AJAX Handlers 54

authwp_ajax_cff_deactivate_addonadmin\addon-functions.php:40

authwp_ajax_cff_activate_addonadmin\addon-functions.php:77

authwp_ajax_cff_install_addonadmin\addon-functions.php:181

authwp_ajax_cff_lite_dismissadmin\admin-functions.php:61

authwp_ajax_cff_oembed_disableadmin\admin-functions.php:314

authwp_ajax_cff_dismiss_custom_cssjs_noticeadmin\admin-functions.php:377

authwp_ajax_cff_ppca_token_check_flagadmin\admin-functions.php:398

authwp_ajax_cff_ppca_token_check_flagadmin\enqueu-script.php:34

authwp_ajax_cff_review_notice_dismissinc\Admin\CFF_Admin_Notices.php:36

authwp_ajax_cff_save_settingsinc\Admin\CFF_Global_Settings.php:73

authwp_ajax_cff_activate_licenseinc\Admin\CFF_Global_Settings.php:74

authwp_ajax_cff_deactivate_licenseinc\Admin\CFF_Global_Settings.php:75

authwp_ajax_cff_activate_extension_licenseinc\Admin\CFF_Global_Settings.php:76

authwp_ajax_cff_deactivate_extension_licenseinc\Admin\CFF_Global_Settings.php:77

authwp_ajax_cff_test_connectioninc\Admin\CFF_Global_Settings.php:78

authwp_ajax_cff_import_settings_jsoninc\Admin\CFF_Global_Settings.php:79

authwp_ajax_cff_export_settings_jsoninc\Admin\CFF_Global_Settings.php:80

authwp_ajax_cff_clear_cacheinc\Admin\CFF_Global_Settings.php:81

authwp_ajax_cff_clear_image_resize_cacheinc\Admin\CFF_Global_Settings.php:82

authwp_ajax_cff_dpa_resetinc\Admin\CFF_Global_Settings.php:83

authwp_ajax_cff_review_notice_consent_updateinc\Admin\CFF_New_User.php:42

authwp_ajax_cff_dashboard_notification_dismissinc\Admin\CFF_Notifications.php:96

authwp_ajax_cff_dismiss_upgrade_noticeinc\Admin\CFF_Notifications.php:99

authwp_ajax_disable_facebook_oembedinc\Admin\CFF_oEmbeds.php:53

authwp_ajax_disable_instagram_oembedinc\Admin\CFF_oEmbeds.php:54

authwp_ajax_cff_feed_saver_manager_process_wizardinc\Admin\CFF_Onboarding_Wizard.php:53

authwp_ajax_cff_feed_saver_manager_dismiss_wizardinc\Admin\CFF_Onboarding_Wizard.php:54

authwp_ajax_cff_export_settings_jsoninc\Admin\CFF_Support.php:58

authwp_ajax_cff_create_temp_userinc\Admin\CFF_Support_Tool.php:99

authwp_ajax_cff_delete_temp_userinc\Admin\CFF_Support_Tool.php:100

authwp_ajax_cff_usage_opt_in_or_outinc\Admin\CFF_Tracking.php:34

noprivwp_ajax_cff_run_one_click_upgradeinc\Admin\CFF_Upgrader.php:50

authwp_ajax_cff_maybe_upgrade_redirectinc\Admin\CFF_Upgrader.php:51

authwp_ajax_cff_feed_saver_manager_builder_updateinc\Builder\CFF_Feed_Saver_Manager.php:24

authwp_ajax_cff_feed_saver_manager_get_feed_settingsinc\Builder\CFF_Feed_Saver_Manager.php:25

authwp_ajax_cff_feed_saver_manager_get_feed_list_pageinc\Builder\CFF_Feed_Saver_Manager.php:26

authwp_ajax_cff_feed_saver_manager_get_locations_pageinc\Builder\CFF_Feed_Saver_Manager.php:27

authwp_ajax_cff_feed_saver_manager_delete_feedsinc\Builder\CFF_Feed_Saver_Manager.php:28

authwp_ajax_cff_feed_saver_manager_duplicate_feedinc\Builder\CFF_Feed_Saver_Manager.php:29

authwp_ajax_cff_feed_saver_manager_clear_single_feed_cacheinc\Builder\CFF_Feed_Saver_Manager.php:30

authwp_ajax_cff_feed_saver_manager_importerinc\Builder\CFF_Feed_Saver_Manager.php:31

authwp_ajax_cff_feed_saver_manager_fly_previewinc\Builder\CFF_Feed_Saver_Manager.php:32

authwp_ajax_cff_feed_saver_manager_retrieve_commentsinc\Builder\CFF_Feed_Saver_Manager.php:33

authwp_ajax_cff_feed_saver_manager_delete_sourceinc\Builder\CFF_Feed_Saver_Manager.php:34

authwp_ajax_cff_source_builder_updateinc\Builder\CFF_Source.php:29

authwp_ajax_cff_source_builder_update_multipleinc\Builder\CFF_Source.php:30

authwp_ajax_cff_source_get_pageinc\Builder\CFF_Source.php:31

authwp_ajax_cff_source_get_featured_post_previewinc\Builder\CFF_Source.php:32

authwp_ajax_cff_source_get_playlist_post_previewinc\Builder\CFF_Source.php:33

authwp_ajax_cff_dismiss_critical_noticeinc\CFF_Error_Reporter.php:69

authwp_ajax_feed_locatorinc\Custom_Facebook_Feed.php:354

noprivwp_ajax_feed_locatorinc\Custom_Facebook_Feed.php:355

authwp_ajax_sb_facebookfeed_divi_previewinc\Integrations\Divi\CFF_Divi_Handler.php:74

authwp_ajax_cff_reset_unused_feed_usageinc\Platform_Data.php:67

Shortcodes 1

[custom-facebook-feed] inc\CFF_Shortcode.php:71

WordPress Hooks 89

actiongroup_post_scheduler_cronadmin\admin-functions.php:11

actionadmin_initadmin\admin-functions.php:64

actioncff_cron_jobadmin\admin-functions.php:144

actionadmin_print_scriptsadmin\admin-functions.php:253

actionin_admin_headeradmin\admin-functions.php:260

actionadmin_initadmin\admin-functions.php:285

actionadmin_noticesadmin\admin-functions.php:359

actioncff_admin_noticesadmin\admin-functions.php:360

actioninitadmin\admin-functions.php:489

actionadmin_enqueue_scriptsadmin\enqueu-script.php:36

actionadmin_noticescustom-facebook-feed.php:128

actionadmin_menuinc\Admin\CFF_About_Us.php:50

actionadmin_menuinc\Admin\CFF_Admin.php:42

actionadmin_enqueue_scriptsinc\Admin\CFF_Admin.php:157

actionadmin_enqueue_scriptsinc\Admin\CFF_Admin.php:158

actioncff_admin_noticesinc\Admin\CFF_Admin_Notices.php:34

actionadmin_noticesinc\Admin\CFF_Admin_Notices.php:35

actionwp_enqueue_scriptsinc\Admin\CFF_Callout.php:67

actionadmin_enqueue_scriptsinc\Admin\CFF_Callout.php:68

actionwp_dashboard_setupinc\Admin\CFF_Callout.php:69

actionadmin_menuinc\Admin\CFF_Global_Settings.php:70

filteradmin_footer_textinc\Admin\CFF_Global_Settings.php:71

filterupdate_footerinc\Admin\CFF_Global_Settings.php:806

actionadmin_noticesinc\Admin\CFF_New_User.php:39

actionadmin_initinc\Admin\CFF_New_User.php:41

actionadmin_enqueue_scriptsinc\Admin\CFF_Notifications.php:89

actioncff_admin_noticesinc\Admin\CFF_Notifications.php:91

actioncff_notification_updateinc\Admin\CFF_Notifications.php:94

actioncff_header_noticesinc\Admin\CFF_Notifications.php:98

actionadmin_menuinc\Admin\CFF_oEmbeds.php:51

actionadmin_menuinc\Admin\CFF_Onboarding_Wizard.php:42

actionadmin_menuinc\Admin\CFF_Support.php:57

actionadmin_menuinc\Admin\CFF_Support_Tool.php:86

actionadmin_footerinc\Admin\CFF_Support_Tool.php:87

actioninitinc\Admin\CFF_Tracking.php:30

filtercron_schedulesinc\Admin\CFF_Tracking.php:31

actioncff_usage_tracking_croninc\Admin\CFF_Tracking.php:32

actioncff_admin_noticesinc\Admin\CFF_Tracking.php:33

actionadmin_initinc\Builder\CFF_Source.php:34

actionadmin_enqueue_scriptsinc\Builder\CFF_Tooltip_Wizard.php:55

actionadmin_footerinc\Builder\CFF_Tooltip_Wizard.php:56

actioninitinc\CFF_Blocks.php:50

actionenqueue_block_editor_assetsinc\CFF_Blocks.php:51

filterblock_categories_allinc\CFF_Blocks.php:57

actioninitinc\CFF_Blocks.php:58

actionenqueue_block_editor_assetsinc\CFF_Blocks.php:59

actionenqueue_block_editor_assetsinc\CFF_Blocks.php:60

actionelementor/frontend/after_register_scriptsinc\CFF_Elementor_Base.php:28

actionelementor/frontend/after_register_stylesinc\CFF_Elementor_Base.php:29

actionelementor/frontend/after_enqueue_stylesinc\CFF_Elementor_Base.php:30

actionelementor/controls/controls_registeredinc\CFF_Elementor_Base.php:31

actionelementor/widgets/widgets_registeredinc\CFF_Elementor_Base.php:32

actionelementor/initinc\CFF_Elementor_Base.php:33

actioncff_feed_issue_emailinc\CFF_Error_Reporter.php:68

actionwp_footerinc\CFF_Error_Reporter.php:70

actioncff_admin_noticesinc\CFF_Error_Reporter.php:71

actioncff_admin_noticesinc\CFF_Error_Reporter.php:72

actioncff_admin_noticesinc\CFF_Error_Reporter.php:73

actioncff_admin_noticesinc\CFF_Error_Reporter.php:74

filterwt_cli_third_party_scriptsinc\CFF_GDPR_Integrations.php:28

actioninitinc\CFF_Oembed.php:32

actionadmin_initinc\CFF_Oembed.php:33

filteroembed_providersinc\CFF_Oembed.php:35

filteroembed_fetch_urlinc\CFF_Oembed.php:36

filteroembed_resultinc\CFF_Oembed.php:37

filteroembed_ttlinc\CFF_Oembed.php:40

filtersite_status_testsinc\CFF_SiteHealth.php:44

actioninitinc\Custom_Facebook_Feed.php:342

actionplugins_loadedinc\Custom_Facebook_Feed.php:343

actionwp_loadedinc\Custom_Facebook_Feed.php:347

actionwp_footerinc\Custom_Facebook_Feed.php:349

filtercron_schedulesinc\Custom_Facebook_Feed.php:351

filterwidget_textinc\Custom_Facebook_Feed.php:352

actionadmin_initinc\Custom_Facebook_Feed.php:361

actionwp_footerinc\Custom_Facebook_Feed.php:362

actionwp_enqueue_scriptsinc\Custom_Facebook_Feed.php:476

actionwp_enqueue_scriptsinc\Custom_Facebook_Feed.php:477

filtersb_analytics_filter_top_postsinc\Integrations\Analytics\SB_Analytics.php:43

filtersb_analytics_filter_profile_detailsinc\Integrations\Analytics\SB_Analytics.php:51

filtersb_analytics_filter_feed_listinc\Integrations\Analytics\SB_Analytics.php:59

actionet_builder_readyinc\Integrations\Divi\CFF_Divi_Handler.php:71

actionwp_enqueue_scriptsinc\Integrations\Divi\CFF_Divi_Handler.php:78

actioncff_api_connect_responseinc\Platform_Data.php:61

actioncff_before_display_facebookinc\Platform_Data.php:62

actioncff_app_permission_revokedinc\Platform_Data.php:63

actioncff_before_delete_old_datainc\Platform_Data.php:64

actioncff_before_display_facebookinc\SB_Facebook_Data_Manager.php:48

actioncff_before_display_facebookinc\SB_Facebook_Data_Manager.php:49

actionsb_facebook_twicedailyinc\SB_Facebook_Data_Manager.php:50

Scheduled Events 10

cff_cron_job

cff_cache_cron

cff_usage_tracking_cron

group_post_scheduler_cron

cff_feed_issue_email

cff_notification_update

cff_cron_job

cff_notification_update

Maintenance & Trust

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version7.4

Downloads8.8M

Community Trust

Rating94/100

Number of ratings1,501

Active installs200K

Alternatives

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Alternatives

Mitsol Social Post Feed

facebook-wall-and-social-integration

100

Formerly known as Facebook wall and social integration allows you to display completely customizable Facebook feed of any public Facebook page or grou …

200 1 CVE

Mirror App – Social Page

mirror-app-social-page

100

Display your social page updates — including your full Facebook Feed with posts, photos, and videos — beautifully on your WordPress site using a simpl …

0 No CVEs

Easy Social Feed – Social Photos Gallery and Post Feed for WordPress

easy-facebook-likebox

Display Instagram, Facebook & YouTube feeds with photos, videos, reels, events & galleries. Fast, responsive & easy to set up.

30K 10 CVEs

Mongoose Page Plugin

facebook-page-feed-graph-api

100

The most popular way to display the Facebook Page Plugin on your WordPress website. Easy implementation using a shortcode or widget.

10K 1 CVE

Social Feed for WordPress by CompyGo

compygo-social-feed

100

Display completely customizable Facebook Feed on your WordPress website. Also it supports Instagram photos and Youtube videos.

20 No CVEs

Developer Profile

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

795 days

View full developer profile

Detection Fingerprints

How We Detect Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/custom-facebook-feed/admin/assets/css/cff-admin-style.css/wp-content/plugins/custom-facebook-feed/admin/assets/js/cff-admin-scripts.js/wp-content/plugins/custom-facebook-feed/admin/enqueu-script.php/wp-content/plugins/custom-facebook-feed/inc/Custom_Facebook_Feed.php

Script Paths

https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css

Version Parameters

custom-facebook-feed/admin/assets/css/cff-admin-style.css?ver=custom-facebook-feed/admin/assets/js/cff-admin-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes

cff_facebook_feed_locatorcff-feed-wrap

HTML Comments

Data Attributes

data-cff-id

JS Globals

cffA

Shortcode Output

[custom-facebook-feed

FAQ