Description
The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-03-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cache Reset via CSRF
Action: Patch ASAP
AI Analysis

Impact

The plugin contains a missing or incorrect nonce check in the ctf_clear_cache_admin() function, allowing an unauthenticated attacker to craft a forged request that resets the plugin’s cache. This cross‑site request forgery can be triggered by convincing a site administrator to click a link, resulting in an unexpected cache purge that disrupts the display of tweets. The vulnerability stems from a classic CSRF weakness (CWE‑352).

Affected Systems

WordPress sites running the Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin, version 2.2.5 or earlier. No other products or versions are affected.

Risk and Exploitability

The CVSS score of 4.3 classifies the issue as moderate, and the EPSS score of less than 1% indicates a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, meaning no public widespread exploitation is known. Attackers need only lure an administrator to visit a crafted link; no credentials or advanced privileges are required. The risk, while low in probability, is tangible as it forces an administrator to rebuild cache and possibly causes temporary content loss.

Generated by OpenCVE AI on April 22, 2026 at 17:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Custom Twitter Feeds plugin to version 2.2.6 or later, which implements proper nonce validation for the cache reset action.
  • If an upgrade is not immediately possible, modify the plugin’s code to add a nonce check to the ctf_clear_cache_admin() function so that only legitimate, authenticated requests succeed.
  • Configure the web application firewall or server rules to block any POST or GET requests to wp‑admin/admin‑ajax.php?action=ctf_clear_cache_admin that do not contain a valid nonce or do not originate from an authenticated administrator session.

Generated by OpenCVE AI on April 22, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6745 The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 20 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 20 Mar 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Custom Twitter Feeds <= 2.2.5 - Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:12.366Z

Reserved: 2025-02-14T21:36:15.302Z

Link: CVE-2025-1314

cve-icon Vulnrichment

Updated: 2025-03-20T17:59:13.536Z

cve-icon NVD

Status : Deferred

Published: 2025-03-20T06:15:22.437

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses