Description
The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-12-05
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Twitscription plugin for WordPress is vulnerable to reflected cross‑site scripting because the PATH_INFO supplied to admin.php is not properly sanitized or escaped. An attacker can craft a malicious URL that, when clicked by an unsuspecting user, injects arbitrary JavaScript into the response. This flaw falls under CWE‑79 and can be used to hijack a user session, deface a page, or perform other client‑side attacks.

Affected Systems

All installations of the Twitscription plugin through version 0.1.1 are affected. The plugin is distributed by the vendor natambu and is used within the WordPress ecosystem.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely to involve an unauthenticated user clicking a malicious link that contains a crafted PATH_INFO, which triggers the injection when the admin.php page is accessed.

Generated by OpenCVE AI on April 21, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Twitscription plugin to the latest release (version 0.1.2 or later) which removes the unsanitized PATH_INFO handling.
  • If an update cannot be applied immediately, disable the Twitscription plugin or restrict access to admin.php so that no user can trigger the vulnerable code.
  • Modify the plugin’s source to sanitize or properly escape the PATH_INFO variable before output, for example by applying WordPress sanitization functions such as wp_unslash and esc_html.

Generated by OpenCVE AI on April 21, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Twitscription <= 0.1.1 - Reflected Cross-Site Scripting via admin.php PATH_INFO
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:34.048Z

Reserved: 2025-11-24T20:45:42.012Z

Link: CVE-2025-13623

cve-icon Vulnrichment

Updated: 2025-12-05T14:23:12.411Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T06:16:08.400

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses