WP-Safety

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin Security & Risk Analysis

wordpress.org/plugins/instagram-feed

Formerly "Instagram Feed". Display clean, customizable, and responsive Instagram feeds from multiple accounts. Supports Instagram oEmbeds.

1.0M active installs v6.10.1 PHP 7.4+ WP 4.1+ Updated Mar 12, 2026
instagraminstagram-feedinstagram-galleryinstagram-photosinstagram-widget
98
A · Safe
CVEs total4
Unpatched0
Last CVEJul 20, 2021
Plugin page Download
Safety Verdict

Is Smash Balloon Social Photo Feed – Easy Social Feeds Plugin Safe to Use in 2026?

Generally Safe

Score 98/100

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jul 20, 2021Updated 21d ago
Risk Assessment

The 'instagram-feed' plugin v6.10.1 exhibits a mixed security posture. While it demonstrates some good practices such as a significant number of nonce and capability checks, and a majority of SQL queries using prepared statements, there are notable concerns. The presence of one AJAX handler without authentication checks presents a direct entry point for potential exploitation. Furthermore, the taint analysis reveals four high-severity flows with unsanitized paths, indicating potential for serious vulnerabilities like cross-site scripting or insecure direct object references. The plugin's historical vulnerability data, including four known CVEs with one high and three medium severity issues, points to a recurring pattern of security weaknesses, particularly related to Cross-Site Request Forgery and Cross-Site Scripting. Although there are no currently unpatched CVEs, the historical prevalence of these types of vulnerabilities suggests a need for more robust input validation and output escaping mechanisms. Overall, while the plugin has strengths in its defensive checks, the identified unprotected entry point, high-severity taint flows, and historical vulnerability trends warrant careful consideration and prompt remediation.

Key Concerns

  • Unprotected AJAX handler
  • High severity unsanitized taint flows
  • Historical high severity vulnerability
  • SQL queries not using prepared statements
  • Outputs not properly escaped
Vulnerabilities
4

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
1 CVE in 2018
2018
1 CVE in 2019
2019
1 CVE in 2021
2021
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

WF-0efff314-b14f-4af4-b225-ba7e41d01b2e-instagram-feedmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Plugins (Various Versions) - Reflected Cross-Site Scripting

Jul 20, 2021 Patched in 2.9.2 (917d)
WF-1c307340-2911-46b9-9c90-0a7ebad8a0e9-instagram-feedhigh · 8.8Cross-Site Request Forgery (CSRF)

Smash Balloon Social Photo Feed <= 1.11.3 - Cross-Site Request Forgery to Back-Up Deletion

Mar 5, 2019 Patched in 1.12 (1785d)
WF-8247c654-0082-4677-a0a6-b90a0256de81-instagram-feedmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Photo Feed <= 1.5.1 - Reflected Cross-Site Scripting

Jan 18, 2018 Patched in 1.6 (2196d)
WF-062f5bc7-9d53-4a28-b603-9901ce2175d8-instagram-feedmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Social Photo Feed <= 1.4.6.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Nov 19, 2016 Patched in 1.4.7 (2621d)
Code Analysis
Analyzed Mar 16, 2026

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin Code Analysis

Dangerous Functions
1
Raw SQL Queries
132
114 prepared
Unescaped Output
168
464 escaped
Nonce Checks
60
Capability Checks
42
File Operations
16
External Requests
16
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = unserialize($data, ['allowed_classes' => false]);inc\Helpers\Util.php:259

SQL Query Safety

46% prepared246 total queries

Output Escaping

73% escaped632 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

17 flows6 with unsanitized paths
sbi_save_settings (admin\SBI_Global_Settings.php:90)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin Attack Surface

Entry Points58
Unprotected1

AJAX Handlers 57

authwp_ajax_sbi_check_licenseadmin\SBI_Admin_Notices.php:42
authwp_ajax_sbi_dismiss_upgrade_noticeadmin\SBI_Admin_Notices.php:45
authwp_ajax_sbi_save_settingsadmin\SBI_Global_Settings.php:68
authwp_ajax_sbi_activate_licenseadmin\SBI_Global_Settings.php:69
authwp_ajax_sbi_deactivate_licenseadmin\SBI_Global_Settings.php:70
authwp_ajax_sbi_test_connectionadmin\SBI_Global_Settings.php:71
authwp_ajax_sbi_recheck_connectionadmin\SBI_Global_Settings.php:72
authwp_ajax_sbi_import_settings_jsonadmin\SBI_Global_Settings.php:73
authwp_ajax_sbi_export_settings_jsonadmin\SBI_Global_Settings.php:74
authwp_ajax_sbi_clear_cacheadmin\SBI_Global_Settings.php:75
authwp_ajax_sbi_clear_image_resize_cacheadmin\SBI_Global_Settings.php:76
authwp_ajax_sbi_clear_error_logadmin\SBI_Global_Settings.php:77
authwp_ajax_sbi_retry_dbadmin\SBI_Global_Settings.php:78
authwp_ajax_sbi_dpa_resetadmin\SBI_Global_Settings.php:79
authwp_ajax_disable_instagram_oembed_from_instagramadmin\SBI_oEmbeds.php:55
authwp_ajax_disable_facebook_oembed_from_instagramadmin\SBI_oEmbeds.php:56
authwp_ajax_sbi_create_temp_useradmin\SBI_Support_Tool.php:215
authwp_ajax_sbi_delete_temp_useradmin\SBI_Support_Tool.php:216
authwp_ajax_sbi_get_api_calls_handleradmin\SBI_Support_Tool.php:217
noprivwp_ajax_sbi_run_one_click_upgradeadmin\SBI_Upgrader.php:48
authwp_ajax_sbi_maybe_upgrade_redirectadmin\SBI_Upgrader.php:49
authwp_ajax_sbi_reset_loginc\admin\actions.php:433
authwp_ajax_sbi_deactivate_addoninc\admin\addon-functions.php:41
authwp_ajax_sbi_activate_addoninc\admin\addon-functions.php:78
authwp_ajax_sbi_install_addoninc\admin\addon-functions.php:193
authwp_ajax_sbi_review_notice_consent_updateinc\admin\class-sbi-new-user.php:40
authwp_ajax_sbi_dashboard_notification_dismissinc\admin\class-sbi-notifications.php:69
authwp_ajax_sbi_feed_saver_manager_process_wizardinc\admin\SBI_Onboarding_wizard.php:53
authwp_ajax_sbi_feed_saver_manager_dismiss_wizardinc\admin\SBI_Onboarding_wizard.php:54
authwp_ajax_sbi_dismiss_onboardinginc\Builder\SBI_Feed_Builder.php:56
authwp_ajax_sbi_other_plugins_modalinc\Builder\SBI_Feed_Builder.php:58
authwp_ajax_sbi_feed_saver_manager_builder_updateinc\Builder\SBI_Feed_Saver_Manager.php:26
authwp_ajax_sbi_feed_saver_manager_get_feed_settingsinc\Builder\SBI_Feed_Saver_Manager.php:27
authwp_ajax_sbi_feed_saver_manager_get_feed_list_pageinc\Builder\SBI_Feed_Saver_Manager.php:28
authwp_ajax_sbi_feed_saver_manager_get_locations_pageinc\Builder\SBI_Feed_Saver_Manager.php:29
authwp_ajax_sbi_feed_saver_manager_delete_feedsinc\Builder\SBI_Feed_Saver_Manager.php:30
authwp_ajax_sbi_feed_saver_manager_duplicate_feedinc\Builder\SBI_Feed_Saver_Manager.php:31
authwp_ajax_sbi_feed_saver_manager_clear_single_feed_cacheinc\Builder\SBI_Feed_Saver_Manager.php:32
authwp_ajax_sbi_feed_saver_manager_importerinc\Builder\SBI_Feed_Saver_Manager.php:33
authwp_ajax_sbi_feed_saver_manager_fly_previewinc\Builder\SBI_Feed_Saver_Manager.php:34
authwp_ajax_sbi_feed_saver_manager_retrieve_commentsinc\Builder\SBI_Feed_Saver_Manager.php:35
authwp_ajax_sbi_feed_saver_manager_clear_comments_cacheinc\Builder\SBI_Feed_Saver_Manager.php:36
authwp_ajax_sbi_feed_saver_manager_delete_sourceinc\Builder\SBI_Feed_Saver_Manager.php:37
authwp_ajax_sbi_update_personal_accountinc\Builder\SBI_Feed_Saver_Manager.php:38
authwp_ajax_sbi_feed_saver_manager_recache_feedinc\Builder\SBI_Feed_Saver_Manager.php:41
authwp_ajax_sbi_source_builder_updateinc\Builder\SBI_Source.php:28
authwp_ajax_sbi_source_builder_update_multipleinc\Builder\SBI_Source.php:29
authwp_ajax_sbi_source_get_pageinc\Builder\SBI_Source.php:30
authwp_ajax_sbi_load_more_clickedinc\if-functions.php:334
noprivwp_ajax_sbi_load_more_clickedinc\if-functions.php:335
authwp_ajax_sbi_resized_images_submitinc\if-functions.php:401
noprivwp_ajax_sbi_resized_images_submitinc\if-functions.php:402
authwp_ajax_sbi_do_locatorinc\if-functions.php:442
noprivwp_ajax_sbi_do_locatorinc\if-functions.php:443
authwp_ajax_sbi_dismiss_critical_noticeinc\if-functions.php:1554
authwp_ajax_sb_instagramfeed_divi_previewinc\Integrations\Divi\SBI_Divi_Handler.php:70
authwp_ajax_sbi_reset_unused_feed_usageinc\Platform_Data.php:59

Shortcodes 1

[instagram-feed] inc\if-functions.php:18
WordPress Hooks 89
actionadmin_menuadmin\SBI_About_Us.php:50
actionin_admin_headeradmin\SBI_Admin_Notices.php:41
actionsbi_header_noticesadmin\SBI_Admin_Notices.php:44
actionadmin_initadmin\SBI_Admin_Notices.php:46
actionsb_notice_custom_feed_templates_dismissedadmin\SBI_Admin_Notices.php:47
actionwp_enqueue_scriptsadmin\SBI_Callout.php:31
actionadmin_enqueue_scriptsadmin\SBI_Callout.php:32
actionwp_dashboard_setupadmin\SBI_Callout.php:33
actionadmin_menuadmin\SBI_Global_Settings.php:65
filteradmin_footer_textadmin\SBI_Global_Settings.php:66
filterupdate_footeradmin\SBI_Global_Settings.php:825
actionadmin_menuadmin\SBI_oEmbeds.php:53
actionadmin_menuadmin\SBI_Support.php:53
actionadmin_menuadmin\SBI_Support_Tool.php:131
actionadmin_footeradmin\SBI_Support_Tool.php:132
actionadmin_enqueue_scriptsadmin\SBI_Support_Tool.php:487
actionadmin_menuinc\admin\actions.php:105
filterplugin_action_links_instagram-feed/instagram-feed.phpinc\admin\actions.php:151
actionadmin_enqueue_scriptsinc\admin\actions.php:160
actionadmin_enqueue_scriptsinc\admin\actions.php:208
actionadmin_initinc\admin\actions.php:280
actioninitinc\admin\blocks\class-sbi-blocks.php:52
actionenqueue_block_editor_assetsinc\admin\blocks\class-sbi-blocks.php:53
actionadmin_initinc\admin\class-sbi-new-user.php:37
actionadmin_initinc\admin\class-sbi-new-user.php:39
actionadmin_enqueue_scriptsinc\admin\class-sbi-notifications.php:62
actionadmin_initinc\admin\class-sbi-notifications.php:64
actionsbi_notification_updateinc\admin\class-sbi-notifications.php:67
filtersite_status_testsinc\admin\class-sbi-sitehealth.php:37
actionadmin_menuinc\admin\SBI_Onboarding_wizard.php:42
actionadmin_menuinc\Builder\SBI_Feed_Builder.php:41
actionadmin_initinc\Builder\SBI_Source.php:31
actionadmin_enqueue_scriptsinc\Builder\SBI_Tooltip_Wizard.php:40
actionadmin_footerinc\Builder\SBI_Tooltip_Wizard.php:41
actionsbi_before_display_instagraminc\class-sb-instagram-data-manager.php:43
actionsbi_before_display_instagraminc\class-sb-instagram-data-manager.php:44
actionsbi_before_display_instagraminc\class-sb-instagram-data-manager.php:45
actionsb_instagram_twicedailyinc\class-sb-instagram-data-manager.php:46
filterwt_cli_third_party_scriptsinc\class-sb-instagram-gdpr-integrations.php:23
actioninitinc\class-sb-instagram-oembed.php:31
filteroembed_providersinc\class-sb-instagram-oembed.php:33
filteroembed_fetch_urlinc\class-sb-instagram-oembed.php:34
filteroembed_resultinc\class-sb-instagram-oembed.php:35
filteroembed_ttlinc\class-sb-instagram-oembed.php:38
actioninitinc\Helpers\SB_Instagram_Tracking.php:25
filtercron_schedulesinc\Helpers\SB_Instagram_Tracking.php:26
actionsbi_usage_tracking_croninc\Helpers\SB_Instagram_Tracking.php:27
filterwidget_textinc\if-functions.php:11
actionsbi_before_feed_endinc\if-functions.php:195
actionsbi_before_feed_endinc\if-functions.php:496
actionsbi_before_feed_endinc\if-functions.php:596
actionsbi_after_feedinc\if-functions.php:671
actionsbi_after_feedinc\if-functions.php:704
actionsbi_feed_updateinc\if-functions.php:859
actionsbi_cron_additional_batchinc\if-functions.php:905
actionwp_enqueue_scriptsinc\if-functions.php:1261
actionwp_footerinc\if-functions.php:1295
actionwp_footerinc\if-functions.php:1296
actionwp_headinc\if-functions.php:1306
filtersbi_num_in_requestinc\if-functions.php:1368
actionwp_footerinc\if-functions.php:1539
actionsb_instagram_feed_issue_emailinc\if-functions.php:1651
filtersb_instagram_feed_has_admin_errorsinc\if-functions.php:1777
actionet_builder_readyinc\Integrations\Divi\SBI_Divi_Handler.php:67
actionwp_enqueue_scriptsinc\Integrations\Divi\SBI_Divi_Handler.php:74
actionelementor/frontend/after_register_scriptsinc\Integrations\Elementor\SBI_Elementor_Base.php:126
actionelementor/frontend/after_register_stylesinc\Integrations\Elementor\SBI_Elementor_Base.php:127
actionelementor/frontend/after_enqueue_stylesinc\Integrations\Elementor\SBI_Elementor_Base.php:128
actionelementor/controls/registerinc\Integrations\Elementor\SBI_Elementor_Base.php:130
actionelementor/widgets/registerinc\Integrations\Elementor\SBI_Elementor_Base.php:131
actionelementor/elements/categories_registeredinc\Integrations\Elementor\SBI_Elementor_Base.php:132
filtersb_analytics_filter_profile_detailsinc\Integrations\FeedAnalytics.php:25
filtersb_analytics_filter_feed_listinc\Integrations\FeedAnalytics.php:26
actionsbi_api_connect_responseinc\Platform_Data.php:53
actionsbi_before_display_instagraminc\Platform_Data.php:54
actionsbi_app_permission_revokedinc\Platform_Data.php:55
actionsbi_before_delete_old_datainc\Platform_Data.php:56
filterdo_shortcode_taginc\Services\ShortcodeService.php:11
actionadmin_noticesinstagram-feed.php:30
actioninitinstagram-feed.php:271
filtercron_schedulesinstagram-feed.php:294
actionadmin_initinstagram-feed.php:422
actionwp_loadedinstagram-feed.php:987
actionwpmu_new_bloginstagram-feed.php:1159
filterwpmu_drop_tablesinstagram-feed.php:1183
actioninitinstagram-feed.php:1195
actionsb_instagram_twicedailyinstagram-feed.php:1233
actionwidgets_initwidget.php:75
filterwidget_textwidget.php:78

Scheduled Events 15

sbi_cron_additional_batch
sbi_feed_update
sbi_feed_update
sbi_feed_update
sbi_feed_update
sbi_usage_tracking_cron
sbi_cron_additional_batch
sb_instagram_feed_issue_email
sb_instagram_cron_job
sb_instagram_twicedaily
sbi_notification_update
sb_instagram_twicedaily
sb_instagram_feed_issue_email
sbi_notification_update
sbi_feed_update
Maintenance & Trust

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads50.0M

Community Trust

Rating98/100
Number of ratings4,333
Active installs1.0M
Alternatives

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin Alternatives

WPZOOM Social Feed Widget & Block

WPZOOM Social Feed Widget & Block

instagram-widget-by-wpzoom

A
99

Instagram feed plugin for WordPress: Display your Instagram photos, videos & reels. Easy setup with Gutenberg block, widget, shortcode & Elementor

60K 1 CVE
Widgets for Social Photo Feed

Widgets for Social Photo Feed

social-photo-feed-widget

B
78

Instagram Feed Widgets. Display your Instagram feed on your website to increase engagement, sales and SEO.

10K 1 unpatched
Gutena PhotoFeed

Gutena PhotoFeed

photofeed-block-by-gutena

A
100

Gutena PhotoFeed is a free and simple plugin for WordPress that allows you to display your Instagram photos in a gallery. You can set the number of co &hellip;

800 No CVEs
Juicer.io: The Best Social Photo Feed – Posts, Reels, Stories and more

Juicer.io: The Best Social Photo Feed – Posts, Reels, Stories and more

juicer-io-the-best-social-photo-feed-posts-reels-stories-and-more

A
100

Display beautiful Instagram feeds on your WordPress site. Support for Instagram Posts, Reels, Stories by @username or #hashtag. Fully customizable.

200 No CVEs
Social Media Feed Widget

Social Media Feed Widget

social-media-feed-widget

A
100

Formerly \"Social Media Feed Widget \". Display clean, customizable, and responsive Instagram feeds from multiple accounts.

10 No CVEs
Developer Profile

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/instagram-feed/admin/css/sb-admin-styles.css/wp-content/plugins/instagram-feed/admin/css/sb-instagram-admin.css/wp-content/plugins/instagram-feed/admin/js/sb-instagram-admin.js/wp-content/plugins/instagram-feed/css/sb_instagram_feed_styles.css/wp-content/plugins/instagram-feed/css/sb_instagram_frontend.css/wp-content/plugins/instagram-feed/css/sb_instagram_layouts.css/wp-content/plugins/instagram-feed/css/sb_instagram_carousel.css/wp-content/plugins/instagram-feed/css/sb_instagram_photo_feed.css+25 more
Script Paths
/wp-content/plugins/instagram-feed/admin/js/sb-instagram-admin.js/wp-content/plugins/instagram-feed/js/sb-instagram-feed.js/wp-content/plugins/instagram-feed/js/sb-instagram-frontend.js/wp-content/plugins/instagram-feed/js/sb-instagram-aio.js/wp-content/plugins/instagram-feed/js/sb-instagram-ajax-pagination.js/wp-content/plugins/instagram-feed/js/sb-instagram-carousel.js+11 more
Version Parameters
instagram-feed/admin/css/sb-admin-styles.css?ver=instagram-feed/admin/css/sb-instagram-admin.css?ver=instagram-feed/admin/js/sb-instagram-admin.js?ver=instagram-feed/css/sb_instagram_feed_styles.css?ver=instagram-feed/css/sb_instagram_frontend.css?ver=instagram-feed/css/sb_instagram_layouts.css?ver=instagram-feed/css/sb_instagram_carousel.css?ver=instagram-feed/css/sb_instagram_photo_feed.css?ver=instagram-feed/css/sb_instagram_shortcode.css?ver=instagram-feed/css/sb_instagram_responsive.css?ver=instagram-feed/js/sb-instagram-feed.js?ver=instagram-feed/js/sb-instagram-frontend.js?ver=instagram-feed/js/sb-instagram-aio.js?ver=instagram-feed/js/sb-instagram-ajax-pagination.js?ver=instagram-feed/js/sb-instagram-carousel.js?ver=instagram-feed/js/sb-instagram-shortcode.js?ver=instagram-feed/js/sb-instagram-photo-feed.js?ver=instagram-feed/js/sb-instagram-initializer.js?ver=instagram-feed/assets/css/sb_instagram_admin.css?ver=instagram-feed/assets/js/sb_instagram_admin.js?ver=instagram-feed/assets/css/sb_instagram_frontend.css?ver=instagram-feed/assets/css/sb_instagram_layouts.css?ver=instagram-feed/assets/css/sb_instagram_carousel.css?ver=instagram-feed/assets/css/sb_instagram_photo_feed.css?ver=instagram-feed/assets/css/sb_instagram_shortcode.css?ver=instagram-feed/assets/css/sb_instagram_responsive.css?ver=instagram-feed/assets/js/sb_instagram_frontend.js?ver=instagram-feed/assets/js/sb_instagram_aio.js?ver=instagram-feed/assets/js/sb_instagram_ajax_pagination.js?ver=instagram-feed/assets/js/sb_instagram_carousel.js?ver=instagram-feed/assets/js/sb_instagram_shortcode.js?ver=instagram-feed/assets/js/sb_instagram_photo_feed.js?ver=instagram-feed/assets/js/sb_instagram_initializer.js?ver=

HTML / DOM Fingerprints

CSS Classes
sb_instagram_feedsb_instagram_photossbi_photosbi_likessbi_captionsbi_itemsbi_thumbsbi_follow_btn+23 more
HTML Comments
<!-- Smash Balloon Instagram Feed --><!-- BEGIN: SMASH BALLOON INSTAGRAM FEED --><!-- END: SMASH BALLOON INSTAGRAM FEED --><!-- Smash Balloon Instagram Feed Settings -->
Data Attributes
data-sbi-iddata-sbi-post-iddata-sbi-embed-iddata-sbi-typedata-sbi-optionsdata-carousel-options+3 more
JS Globals
sbInstagramsb_instagram_js_optionsSB_Instagram_Feedsbi_adminsbi_frontend_scripts
REST Endpoints
/wp-json/instagram-feed/v1/feeds/wp-json/instagram-feed/v1/settings/wp-json/instagram-feed/v1/accounts
Shortcode Output
<div class="sb_instagram_feed<div id="sb_instagram_feed<div class="sbi_photo<div class="sb_instagram_photos
FAQ

Frequently Asked Questions about Smash Balloon Social Photo Feed – Easy Social Feeds Plugin