CVE-2026-12002 Overview
CVE-2026-12002 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Smash Balloon Social Photo Feed – Easy Social Feeds Plugin for WordPress. The flaw exists in all versions up to and including 6.11.1. The vulnerability stems from missing or incorrect nonce validation on the maybe_connection_data function. Unauthenticated attackers can overwrite the site's Instagram and Facebook oEmbed access tokens by tricking a site administrator into clicking a crafted link. Successful exploitation requires user interaction from an authenticated administrator.
Critical Impact
Attackers can hijack Instagram and Facebook oEmbed access tokens on affected WordPress sites, disrupting social feed integrations and enabling unauthorized token substitution.
Affected Products
- Smash Balloon Social Photo Feed – Easy Social Feeds Plugin for WordPress
- All versions up to and including 6.11.1
- WordPress installations with the instagram-feed plugin active
Discovery Timeline
- 2026-07-08 - CVE-2026-12002 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-12002
Vulnerability Analysis
The vulnerability is a Cross-Site Request Forgery flaw classified under [CWE-352]. It resides in the maybe_connection_data function within the plugin's SBI_oEmbeds.php administrative handler. The function processes state-changing requests that update stored Instagram and Facebook oEmbed access tokens. Because the handler does not correctly validate a WordPress nonce, requests originating from external sources are accepted as legitimate.
An unauthenticated attacker cannot invoke the function directly. Exploitation requires an authenticated administrator to visit an attacker-controlled page or click a crafted link. The victim's browser then issues the state-changing request with valid administrator session cookies attached.
Root Cause
The root cause is missing or improperly implemented nonce verification in the maybe_connection_data function. WordPress relies on nonces generated by wp_create_nonce and validated by check_admin_referer or wp_verify_nonce to bind sensitive actions to specific user sessions. Without this validation, the plugin trusts any authenticated request that reaches the endpoint, regardless of origin.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a page containing an auto-submitting form or image tag targeting the vulnerable endpoint on the victim's WordPress site. When an administrator visits the page while logged in, the browser submits the forged request. The plugin processes the request and overwrites the stored Instagram or Facebook oEmbed access tokens with attacker-supplied values. See the Wordfence Vulnerability Analysis and the WordPress Plugin Change Log for the applied fix.
No verified proof-of-concept code is publicly available. The EPSS score is 0.102% at the 1.137 percentile, indicating low near-term exploitation probability.
Detection Methods for CVE-2026-12002
Indicators of Compromise
- Unexpected changes to Instagram or Facebook oEmbed access tokens stored in WordPress options tables.
- Administrator-initiated POST requests to SBI_oEmbeds.php endpoints with Referer headers pointing to external domains.
- Social feed widgets rendering content from accounts not owned by the site operator.
Detection Strategies
- Review web server access logs for administrative POST requests lacking a same-origin Referer or Origin header.
- Audit the wp_options table for modifications to Smash Balloon plugin option keys and compare timestamps against administrator login sessions.
- Correlate outbound requests to Instagram or Facebook API endpoints against known-good token configurations.
Monitoring Recommendations
- Enable request logging on the WordPress admin interface and alert on cross-origin form submissions to plugin admin handlers.
- Track plugin version inventory and flag any WordPress installation running instagram-feed version 6.11.1 or earlier.
- Monitor administrator accounts for unusual browsing patterns that precede plugin configuration changes.
How to Mitigate CVE-2026-12002
Immediate Actions Required
- Update the Smash Balloon Social Photo Feed plugin to a version later than 6.11.1 that includes the nonce validation fix from changeset 3575933.
- Rotate Instagram and Facebook oEmbed access tokens if the plugin ran an unpatched version on a publicly reachable site.
- Instruct administrators to log out of WordPress before browsing untrusted sites.
Patch Information
The vendor addressed the flaw in the plugin repository through changeset 3575933, which introduces proper nonce validation in admin/SBI_oEmbeds.php. Site operators should apply the update through the WordPress plugin management interface or by manually replacing the affected file with the patched version.
Workarounds
- Deactivate the Smash Balloon plugin until the patched version is deployed if immediate update is not possible.
- Restrict administrative access to the WordPress dashboard using IP allow-listing at the web server or firewall layer.
- Deploy a web application firewall rule that enforces same-origin Referer headers on POST requests to /wp-admin/ paths handling plugin configuration.
# Update the plugin via WP-CLI
wp plugin update instagram-feed
wp plugin get instagram-feed --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

