dropshot
Forum Replies Created
-
Just to add more context to this thread:
This vulnerability was flagged by Patchstack ~7 days ago, and is now also being flagged by Wordfence for the same plugin version and issue.
Could the team confirm:
– whether this is acknowledged
– if a fix is in progress
– or if this is considered a false positiveGiven that multiple scanners are now flagging this, some clarification would be appreciated.
Hi @wfpeter
Still looking for clarity here.
After another period of days with no alerts for this issue I received the same warning a couple of days ago (Alert generated at July 26, 2025 11:02am UTC) Despite the fact that nothing seems to have changed.
Wordfence confirms my current plugin version as the patched version. Still it alerts referring to a critical issue…
Any kind of help to provide some clarity would be appreciated. Thanks.
—
The Plugin “Instagram Feed Pro Elite” has a security vulnerability.
Issue Found 26 juli 2025
CriticalDetails
Plugin Name: Instagram Feed Pro Elite
Current Plugin Version: 6.8.1Smash Balloon: Instagram Feed Pro
Software Type: Plugin
Software Slug: instagram-feed-pro
Affected Version: <= 6.8.0
Patched Version: 6.8.1Hi @wfpeter
Update. After a few days of not alerting and everything seemed fine I’m now receiving the same warning this morning. 2025-06-25 04:55 CET. Despite the fact that nothing seems to have changed.
Any kind of help appreciated. Thanks.
—
The Plugin “Instagram Feed Pro Elite” has a security vulnerability.
Issue Found 25 juni 2025
CriticalDetails
Plugin Name: Instagram Feed Pro Elite
Current Plugin Version: 6.8.1Smash Balloon: Instagram Feed Pro
Software Type: Plugin
Software Slug: instagram-feed-pro
Affected Version: <= 6.8.0
Patched Version: 6.8.1Hi @wfpeter
Thank you for following up, and sorry for the delay.
Just to clarify the timeline a bit:
When I first received the critical vulnerability warning, I had the Instagram Feed Pro Personal version installed. Due to a license change on Smash Balloon’s end, I couldn’t update that version any longer, so I installed Instagram Feed Pro Elite instead — version 6.8.1, which should be the patched one, and then removed the Instagram Feed Pro Personal version.
After switching to the Elite version, Wordfence continued to flag the plugin — this time under the new name — still identifying a critical vulnerability. So it seemed like the scan had transferred the alert from the old Pro Personal version to the new Elite one, despite the latter using the patched version.
Interestingly, without any further changes on my end, the alert was suddenly gone two days later — no more warnings and no trace in the scan results. So it looks like it may have resolved itself, possibly after updated signature data on your side?
Could this have been caused by overlapping slugs or naming conventions between the different “Pro” versions on Smash Balloon’s side — or something cached in the scan engine? Just speculating, but would love to hear your thoughts.
Thanks again for your help!
Best regards,
Hi @wfpeter
Thank you for your reply.
It’s a bit confusing with Smash Balloons all different names and slugs. Not very surprising if that messes things up.
Maybe I wasn’t clear enough but my plugin is:
Plugin Name: Instagram Feed Pro Elite
Current Plugin Version: 6.8.1Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “Instagram Feed Pro Elite” until a patched version is available.
I don’t know if the Elite version is another plugin?
There was a free version still in place, when first scan ran that detected this vulnerability. Both Pro and Free was detected as critical. The Pro version is updated and the Free is uninstalled.
If the scan is locked with this info is it something I can clear to run a new scan?
Thanks!
Update.
Notifications is sending again. Also this time about 26 hours after activation. What might be causing this delay?
Thanks for your reply!
I’m not sure how to check that one the Site Health Screen. There is nothing telling me it’s not working.
Ran this test: Set up a page with a scheduled publish time. Page was published on that time. So, seems like wp-cron is working. Right?
I’m not sure what you mean with your second paragraph. What is expected, and when?
I did receive the notifications earlier. But only 26 hours after activating. Nothing from activation time until first alert was changed.
Forum: Plugins
In reply to: [Email Template Designer - WP HTML Mail] 2.9.1.1 loses Divi-support?Forum: Plugins
In reply to: [DIVI Enhancer - DIVI Modules and Options] Bing Map displays emptyOk. Map is now visible.
But the coordinates only centers the map. No pushpin is added…
What am I missing?
Forum: Plugins
In reply to: [DIVI Enhancer - DIVI Modules and Options] Bing Map displays emptyNever mind. Seems like I need a bing key to get started.
Forum: Plugins
In reply to: [PVB Contact Form 7 Calculator] How to do auto calculation@pbosakov
The documentation you are referring to returns a 404.
Do you have a better link?
CheersJust following up.
Found another plugin to send notifications. It works fine but are not as detailed as your plugin.
I would love to see your plugin make full support for bbPress!
Cheers!
Ok. Looking forward to it. If you could use a test pilot I’d gladly help.
Thank you for your detailed reply!
I will try a few things a get back to you if I find anything interesting.
Do you have an estimated guess for when full support for bbPress might be coming?
Sorry. I’m not sure if it was right to bump in to this thread.
Posted a new thread:
https://ww.wp.xz.cn/support/topic/bbpress-notifications-not-sent-to-requested-receivers/Email Log is installed and gives some weird answers.