Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdjekic Inline Tweets inline-tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through <= 2.0.
Published: 2025-01-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the Inline Tweets plugin does not properly escape user‑supplied tweet content before rendering it in a WordPress page, allowing malicious script code to be stored in the tweet text and executed in the browsers of visitors who view the tweet. This stored cross‑site scripting flaw can lead to arbitrary JavaScript running client‑side for any site visitor that accesses the affected tweet.

Affected Systems

The flaw affects installations of mdjekic Inline Tweets for WordPress with a version of 2.0 or earlier. The plugin is packaged as a WordPress plugin and can be downloaded and installed from the WordPress Plugin Directory under the name Inline Tweets.

Risk and Exploitability

The CVSS score of 7.1 marks the issue as a high‑severity problem, while an EPSS score of less than 1% suggests that exploitation is unlikely but still possible. It is not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, is the plugin’s tweet submission interface, where an attacker could supply crafted tweet content that is stored and later rendered in the page for all visitors, resulting in client‑side script execution.

Generated by OpenCVE AI on May 2, 2026 at 06:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Inline Tweets plugin to a version newer than 2.0 from mdjekic.
  • If an update cannot be applied immediately, disable or uninstall the plugin to remove the vulnerability.
  • As a temporary measure, enforce strict input validation on tweet content, escape all dynamic output, and configure a web‑application firewall to block XSS payloads.

Generated by OpenCVE AI on May 2, 2026 at 06:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2846 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Miloš Đekić Inline Tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Miloš Đekić Inline Tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdjekic Inline Tweets inline-tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through <= 2.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 13 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Jan 2025 13:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Miloš Đekić Inline Tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through 2.0.
Title WordPress Inline Tweets plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.903Z

Reserved: 2025-01-07T10:23:33.283Z

Link: CVE-2025-22570

cve-icon Vulnrichment

Updated: 2025-01-13T14:44:33.530Z

cve-icon NVD

Status : Deferred

Published: 2025-01-13T14:15:11.940

Modified: 2026-06-17T08:48:21.520

Link: CVE-2025-22570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:45:36Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')