Custom Twitter Feeds – A Tweets Widget Or X Feed Widget
Approved changes feed: RSS · Atom
cpe:2.3:a:smub:custom_twitter_feeds_–_a_tweets_widget_or_x_feed_widget:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Smub (de95b648-5e6e-5830-888e-6dff235e28e3) |
|---|---|
| Product | Custom Twitter Feeds – A Tweets Widget Or X Feed Widget (ab30d962-9bfa-53ac-836f-bf0a78b9fc29) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-6177 |
vulnerable | 2026-06-03 15:27:54.849367 |
Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
HIGH (7.2)
The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
Published: 2026-05-13T12:29:53.119Z
Updated: 2026-05-13T19:31:57.701Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1314 |
vulnerable | 2026-06-03 14:59:05.025233 |
Custom Twitter Feeds <= 2.2.5 - Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function
MEDIUM (4.3)
The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-03-20T05:22:34.298Z
Updated: 2026-04-08T16:43:12.366Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0379 |
vulnerable | 2026-06-03 14:54:02.256349 |
Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 - Cross-Site Request Forgery to Plugin Options Update
MEDIUM (4.3)
The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctf_auto_save_tokens function. This makes it possible for unauthenticated attackers to update the site's twitter API token and secret via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2024-02-20T18:56:23.650Z
Updated: 2026-04-08T16:43:23.778Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.