{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/custom-twitter-feeds-plugin--2.5.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6177"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Custom Twitter Feeds plugin \u003c= 2.5.4"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","CVE-2026-6177"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Custom Twitter Feeds plugin, a WordPress extension, contains a stored cross-site scripting (XSS) vulnerability. This flaw affects versions up to and including 2.5.4. The vulnerability stems from inadequate output sanitization within the \u003ccode\u003eCTF_Display_Elements::get_post_text()\u003c/code\u003e function, specifically when rendering cached tweet content. The \u003ccode\u003ectf_get_more_posts\u003c/code\u003e AJAX action, accessible to unauthenticated users, directly outputs this cached tweet data using \u003ccode\u003enl2br()\u003c/code\u003e without proper HTML escaping. Attackers can inject malicious HTML or JavaScript code into cached tweets (via direct tweets or other vulnerabilities) that will be executed when the \u003ccode\u003ectf_get_more_posts\u003c/code\u003e endpoint is accessed. Exploitation allows unauthenticated remote attackers to execute arbitrary scripts in a victim\u0026rsquo;s browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious tweet containing XSS payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe WordPress site with the Custom Twitter Feeds plugin configured ingests and caches the malicious tweet.\u003c/li\u003e\n\u003cli\u003eThe plugin stores the malicious tweet content in its cache, without sufficient sanitization.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user visits a page that triggers the \u003ccode\u003ectf_get_more_posts\u003c/code\u003e AJAX action, or an attacker directly requests the AJAX endpoint.\u003c/li\u003e\n\u003cli\u003eThe plugin retrieves the cached tweet data containing the XSS payload.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s \u003ccode\u003eCTF_Display_Elements::get_post_text()\u003c/code\u003e function processes the cached tweet and uses \u003ccode\u003enl2br()\u003c/code\u003e without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe unsanitized content is embedded into the page\u0026rsquo;s HTML.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the injected JavaScript code, potentially leading to session hijacking, defacement, or redirection to malicious sites.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a user\u0026rsquo;s browser. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, or further compromise of the affected WordPress site. The number of potentially affected websites is significant, given the popularity of the Custom Twitter Feeds plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Custom Twitter Feeds plugin to the latest version, which includes a patch for CVE-2026-6177.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts against the \u003ccode\u003ectf_get_more_posts\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003ectf_get_more_posts\u003c/code\u003e endpoint containing common XSS payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:51:58Z","date_published":"2026-05-13T15:51:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6177-wordpress-xss/","summary":"The Custom Twitter Feeds plugin for WordPress is vulnerable to stored cross-site scripting (XSS) in versions up to and including 2.5.4 due to insufficient output escaping, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"CVE-2026-6177 - Custom Twitter Feeds WordPress Plugin Stored XSS","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6177-wordpress-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Custom Twitter Feeds Plugin \u003c= 2.5.4","version":"https://jsonfeed.org/version/1.1"}