Severity
Medium
Analysis Summary
CVE-2025-4683 CVSS:4.3
FluxBuilder MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress could allow a remote authenticated attacker to manipulate the data, caused by improper authorization validation by the create_blog function.
CVE-2025-4583 CVSS:5.4
The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Impact
- Security Bypass
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-4683
CVE-2025-4583
Affected Vendors
- WordPress
Affected Products
- smub Smash Balloon Social Photo Feed – Easy Social Feeds Plugin - *
- FluxBuilder MStore API – Create Native Android and iOS Apps On The Cloud - 4.17.5
Remediation
Upgrade to the latest version of the plugin for WordPress, available from the Website.