Custom Twitter Feeds Plugin <= 2.5.4 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/custom-twitter-feeds-plugin--2.5.4/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 15:51:58 +0000CVE-2026-6177 - Custom Twitter Feeds WordPress Plugin Stored XSShttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6177-wordpress-xss/Wed, 13 May 2026 15:51:58 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6177-wordpress-xss/The Custom Twitter Feeds plugin for WordPress is vulnerable to stored cross-site scripting (XSS) in versions up to and including 2.5.4 due to insufficient output escaping, allowing unauthenticated attackers to inject arbitrary web scripts.The Custom Twitter Feeds plugin, a WordPress extension, contains a stored cross-site scripting (XSS) vulnerability. This flaw affects versions up to and including 2.5.4. The vulnerability stems from inadequate output sanitization within the CTF_Display_Elements::get_post_text() function, specifically when rendering cached tweet content. The ctf_get_more_posts AJAX action, accessible to unauthenticated users, directly outputs this cached tweet data using nl2br() without proper HTML escaping. Attackers can inject malicious HTML or JavaScript code into cached tweets (via direct tweets or other vulnerabilities) that will be executed when the ctf_get_more_posts endpoint is accessed. Exploitation allows unauthenticated remote attackers to execute arbitrary scripts in a victim’s browser.

Attack Chain

  1. An attacker crafts a malicious tweet containing XSS payload (e.g., <script>alert("XSS")</script>).
  2. The WordPress site with the Custom Twitter Feeds plugin configured ingests and caches the malicious tweet.
  3. The plugin stores the malicious tweet content in its cache, without sufficient sanitization.
  4. An unauthenticated user visits a page that triggers the ctf_get_more_posts AJAX action, or an attacker directly requests the AJAX endpoint.
  5. The plugin retrieves the cached tweet data containing the XSS payload.
  6. The plugin’s CTF_Display_Elements::get_post_text() function processes the cached tweet and uses nl2br() without proper escaping.
  7. The unsanitized content is embedded into the page’s HTML.
  8. The victim’s browser executes the injected JavaScript code, potentially leading to session hijacking, defacement, or redirection to malicious sites.

Impact

Successful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a user’s browser. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, or further compromise of the affected WordPress site. The number of potentially affected websites is significant, given the popularity of the Custom Twitter Feeds plugin.

Recommendation

  • Upgrade the Custom Twitter Feeds plugin to the latest version, which includes a patch for CVE-2026-6177.
  • Deploy the provided Sigma rule to detect potential exploitation attempts against the ctf_get_more_posts endpoint.
  • Monitor web server logs for suspicious requests to the ctf_get_more_posts endpoint containing common XSS payloads.
]]>mediumadvisoryxsswordpressCVE-2026-6177