The Ultimate Twitter Profile Widget plugin contains a Cross‑Site Request Forgery flaw that can be abused to store malicious JavaScript on the website; once injected, the script runs automatically for every visitor, allowing attackers to harvest session cookies, deface content, or execute further malicious actions. This stored XSS attack can compromise confidentiality, integrity, and availability for all users who view affected pages and may also provide a vector for credential theft if an attacker can target logged‑in administrators. The weakness is rooted in improper CSRF protection and insufficient input validation in the plugin's data storage logic, identified as CWE‑352.

WordPress sites running the Ultimate Twitter Profile Widget by dyiosah at any version up to and including 1.0 are affected; the problem exists in all releases from the initial release through version 1.0, and no later release has been identified as containing a fix.

The CVSS score of 7.1 indicates high severity, but the EPSS score of less than 1 % suggests a very low probability of exploitation in the wild. The issue is not currently listed in the CISA KEV catalog, implying no known widespread exploitation. The attack vector is inferred to require an authenticated user (typically an administrator) to craft a CSRF request that writes the malicious script to the site; once executed, the XSS effect persists for all site visitors. Given the low exploitability metrics, the risk is medium to high if the plugin is actively used by critical sites, especially those where an attacker could influence content for visitors.