Description
The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-11-18
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting leading to client‑side script injection
Action: Immediate Patch
AI Analysis

Impact

The WP Twitter Auto Publish plugin allows an unauthenticated attacker to inject arbitrary JavaScript through the PostMessage interface because it fails to properly sanitize or escape user‑supplied data. An attacker who lures a visitor to a crafted link could have the victim’s browser execute malicious code in the context of the site, potentially accessing site information, stealing credentials, or defacing content. This vulnerability is a classic reflected XSS flaw categorized as CWE‑79.

Affected Systems

The flaw affects all installations of the WP Twitter Auto Publish WordPress plugin with versions 1.7.4 and earlier. The product is provided by f1logic and user sites should verify that they are using a newer, patched version.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity with impact on confidentiality, integrity, and availability. The EPSS score of less than 1% suggests that active exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is valid through any guest‑visible page that triggers the PostMessage endpoint; an attacker only needs to entice a user to click a crafted link to succeed.

Generated by OpenCVE AI on April 22, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Twitter Auto Publish to the latest version (1.7.5 or later) where the PostMessage handler sanitizes input.
  • If an immediate update is not feasible, disable the auto‑publish feature or restrict its usage to trusted users only.
  • Deploy a web application firewall or content‑security‑policy rules to block JavaScript injection attempts against the affected endpoint.

Generated by OpenCVE AI on April 22, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WP Twitter Auto Publish <= 1.7.3 - Reflected Cross-Site Scripting via PostMessage WP Twitter Auto Publish <= 1.7.4 - Reflected Cross-Site Scripting via PostMessage
References

Wed, 19 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared F1logic
F1logic wp Twitter Auto Publish
Wordpress
Wordpress wordpress
Vendors & Products F1logic
F1logic wp Twitter Auto Publish
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WP Twitter Auto Publish <= 1.7.3 - Reflected Cross-Site Scripting via PostMessage
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

F1logic Wp Twitter Auto Publish
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:37.958Z

Reserved: 2025-10-22T15:17:43.050Z

Link: CVE-2025-12079

cve-icon Vulnrichment

Updated: 2025-11-18T21:11:40.387Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T10:15:46.647

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses