Skip to content
Threat Feed
medium advisory

CVE-2026-6177 - Custom Twitter Feeds WordPress Plugin Stored XSS

The Custom Twitter Feeds plugin for WordPress is vulnerable to stored cross-site scripting (XSS) in versions up to and including 2.5.4 due to insufficient output escaping, allowing unauthenticated attackers to inject arbitrary web scripts.

The Custom Twitter Feeds plugin, a WordPress extension, contains a stored cross-site scripting (XSS) vulnerability. This flaw affects versions up to and including 2.5.4. The vulnerability stems from inadequate output sanitization within the CTF_Display_Elements::get_post_text() function, specifically when rendering cached tweet content. The ctf_get_more_posts AJAX action, accessible to unauthenticated users, directly outputs this cached tweet data using nl2br() without proper HTML escaping. Attackers can inject malicious HTML or JavaScript code into cached tweets (via direct tweets or other vulnerabilities) that will be executed when the ctf_get_more_posts endpoint is accessed. Exploitation allows unauthenticated remote attackers to execute arbitrary scripts in a victim’s browser.

Attack Chain

  1. An attacker crafts a malicious tweet containing XSS payload (e.g., <script>alert("XSS")</script>).
  2. The WordPress site with the Custom Twitter Feeds plugin configured ingests and caches the malicious tweet.
  3. The plugin stores the malicious tweet content in its cache, without sufficient sanitization.
  4. An unauthenticated user visits a page that triggers the ctf_get_more_posts AJAX action, or an attacker directly requests the AJAX endpoint.
  5. The plugin retrieves the cached tweet data containing the XSS payload.
  6. The plugin’s CTF_Display_Elements::get_post_text() function processes the cached tweet and uses nl2br() without proper escaping.
  7. The unsanitized content is embedded into the page’s HTML.
  8. The victim’s browser executes the injected JavaScript code, potentially leading to session hijacking, defacement, or redirection to malicious sites.

Impact

Successful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a user’s browser. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, or further compromise of the affected WordPress site. The number of potentially affected websites is significant, given the popularity of the Custom Twitter Feeds plugin.

Recommendation

  • Upgrade the Custom Twitter Feeds plugin to the latest version, which includes a patch for CVE-2026-6177.
  • Deploy the provided Sigma rule to detect potential exploitation attempts against the ctf_get_more_posts endpoint.
  • Monitor web server logs for suspicious requests to the ctf_get_more_posts endpoint containing common XSS payloads.

Detection coverage 2

Detect CVE-2026-6177 Exploitation - Custom Twitter Feeds Plugin XSS Attempt

medium

Detects CVE-2026-6177 exploitation — monitors requests to ctf_get_more_posts with potential XSS payloads.

sigma tactics: execution techniques: T1059.007 sources: webserver

Detect CVE-2026-6177 Exploitation - Custom Twitter Feeds Plugin XSS Response

medium

Detects CVE-2026-6177 exploitation — monitors webserver responses containing unsanitized JavaScript from the ctf_get_more_posts endpoint

sigma tactics: execution techniques: T1059.007 sources: webserver

Detection queries are available on the platform. Get full rules →