Eldar Zeynalli

**Name of the Vulnerable Software and Affected Versions** The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress versions up to, and including, 6.5.4 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `esf insta save access token` and `efbl save facebook access token` functions. This allows unauthenticated attackers to connect their Facebook and Instagram pages to a site by tricking a site administrator into performing an action, such as clicking on a link, via a forged request. **Recommendations** For versions up to, and including, 6.5.4, update to a version that includes proper nonce validation for the `esf insta save access token` and `efbl save facebook access token` functions to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the `esf insta save access token` and `efbl save facebook access token` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress versions up to, and including, 6.5.4 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `save groups list` function. This allows unauthenticated attackers to disconnect a site's Facebook or Instagram page/group connection by tricking a site administrator into performing an action, such as clicking on a link. **Recommendations** For versions up to, and including, 6.5.4, update to a version that includes the fix for the missing or incorrect nonce validation on the `save groups list` function. As a temporary workaround, consider restricting access to the `save groups list` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SoftwareX (affected versions not specified) **Description** The issue is related to the integrated oAuth Authorization Service, where functions with insufficient randomness were used to generate authorization tokens. This made authorization codes predictable for third parties, allowing them to intercept and take over the client authorization process, potentially compromising other users' accounts. The oAuth Authorization Service is not enabled by default. The implementation has been updated to use sources with sufficient randomness to generate authorization tokens. No publicly available exploits are known. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.