Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Keir Whitaker Twitter News Feed twitter-news-feed allows Reflected XSS.This issue affects Twitter News Feed: from n/a through <= 1.1.1.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, classified as Cross‑Site Scripting. When a crafted request reaches the Twitter News Feed plugin, the plugin reflects the malicious payload back into the response, enabling an attacker to inject arbitrary JavaScript into the victim’s browser. This can lead to data theft, session hijacking, or defacement of the site for users who view the affected page. The weakness is identified as CWE-79.

Affected Systems

Keir Whitaker Twitter News Feed plugin, versions from the earliest release up to and including 1.1.1 are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for this flaw. The EPSS score of less than 1% shows a very low probability that it is currently being actively exploited, and it is not listed in CISA’s KEV catalog. The likely attack vector is a reflected XSS scenario in which an attacker sends a specially crafted URL to an unsuspecting user; the user’s browser then executes the payload when the page is rendered.

Generated by OpenCVE AI on May 1, 2026 at 15:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Twitter News Feed plugin to the latest stable release (>= 1.1.2).
  • If an update is not yet available, deactivate or delete the plugin to remove the vulnerable code path.
  • Configure your web application firewall or input‑filtering layer to reject or sanitize any script content that appears in the query parameters processed by the plugin.

Generated by OpenCVE AI on May 1, 2026 at 15:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5753 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Twitter News Feed allows Reflected XSS. This issue affects Twitter News Feed: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Twitter News Feed allows Reflected XSS. This issue affects Twitter News Feed: from n/a through 1.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Keir Whitaker Twitter News Feed twitter-news-feed allows Reflected XSS.This issue affects Twitter News Feed: from n/a through <= 1.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Twitter News Feed allows Reflected XSS. This issue affects Twitter News Feed: from n/a through 1.1.1.
Title WordPress Twitter News Feed plugin <= 1.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:09.643Z

Reserved: 2025-01-16T11:25:03.612Z

Link: CVE-2025-23464

cve-icon Vulnrichment

Updated: 2025-03-03T15:56:52.798Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:36.070

Modified: 2026-06-17T08:54:34.800

Link: CVE-2025-23464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:15:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')