Description
The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
Published: 2026-05-13
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from inadequate output escaping in the CTF_Display_Elements::get_post_text() function, allowing malicious HTML or JavaScript to be stored in cached tweet text. When the unauthenticated ctf_get_more_posts AJAX action retrieves this cached content, the script runs in the context of the site, potentially enabling credential theft, defacement, or further attacks. This flaw is a conventional Stored XSS (CWE‑79) with the primary impact of compromising the confidentiality and integrity of site users and the authenticity of the site’s content.

Affected Systems

The issue affects the WordPress plugin Custom Twitter Feeds – A Tweets Widget or X Feed Widget, authored by smub, in all released versions up to and including 2.5.4. Anyone running this plugin version list is susceptible even if WordPress itself is secure. Versions newer than 2.5.4 are presumed fixed.

Risk and Exploitability

The CVSS score of 7.2 classifies this flaw as High severity. No EPSS score is available, so the exploitation probability cannot be quantified precisely, but Stored XSS attacks are historically common. The vulnerability can be exploited by an unauthenticated attacker who can inject malicious content into cached tweet data—typically by tweeting crafted material that the plugin caches. Once injected, any visitor accessing the ctf_get_more_posts endpoint will execute the malicious script, potentially leading to information disclosure, session hijacking, or site compromise. The flaw is not listed in CISA KEV, indicating no confirmed widespread exploitation yet, but the attack vector is clear and requires minimal prerequisites.

Generated by OpenCVE AI on May 13, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Custom Twitter Feeds plugin to the latest released version that corrects the XSS issue. This is the official and most complete remediation.
  • After upgrading, delete or clear all existing cached tweet data to remove any malicious content that may have already been stored.
  • Configure a Web Application Firewall to block or sanitize script tags in the ctf_get_more_posts AJAX response, preventing malicious code execution until a patch can be applied.

Generated by OpenCVE AI on May 13, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub custom Twitter Feeds – A Tweets Widget Or X Feed Widget
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub custom Twitter Feeds – A Tweets Widget Or X Feed Widget
Wordpress
Wordpress wordpress

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
Title Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Smub Custom Twitter Feeds – A Tweets Widget Or X Feed Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T19:31:57.701Z

Reserved: 2026-04-13T02:07:02.800Z

Link: CVE-2026-6177

cve-icon Vulnrichment

Updated: 2026-05-13T19:31:53.134Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T13:16:44.967

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-6177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:34Z

Weaknesses