Description
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from authenticated user sessions.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Twitter‑Clone 1 exposes a cross‑site request forgery (CWE‑352) that lets an attacker force an authenticated victim to delete arbitrary posts. By crafting a hidden HTML form that targets the tweetdel.php endpoint with specific tweet IDs, the attacker can trigger a deletion when the victim’s browser submits it automatically. The effect is loss of content and compromise of data integrity for an affected user session, but it does not grant remote code execution or data exfiltration. The vulnerability requires the victim to be logged in and the attacker to supply a malicious form, making the impact limited to users who have visited the attacker’s page while authenticated.

Affected Systems

The product affected is Fyffe’s PHP‑Twitter‑Clone, specifically version 1 of the application. No additional version range was supplied, so any deployment of this clone is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity; the EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog. Exploitation is possible remotely via a web page that hosts a hidden form and automatically submits a POST request to tweetdel.php. The attacker needs to entice a user to load the malicious page while authenticated. No additional system or network prerequisites are stated, so any web‑browser session that can reach the application is a potential target.

Generated by OpenCVE AI on May 25, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest release of PHP‑Twitter‑Clone or remove tweetdel.php if the feature is not required.
  • Add CSRF protection to tweetdel.php, such as a server‑side verification token or an origin header check, to ensure only legitimate form submissions are accepted.
  • Configure the application to require user confirmation or restrict POST requests to tweetdel.php to same‑origin traffic, for example by setting SameSite=None on the session cookie or implementing a referer validation.

Generated by OpenCVE AI on May 25, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from authenticated user sessions.
Title Twitter-Clone 1 Cross-Site Request Forgery via tweetdel.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T14:15:10.194Z

Reserved: 2026-05-24T13:31:38.682Z

Link: CVE-2018-25363

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T15:30:06Z

Weaknesses