Vulnerabilities and security researches forcustom-twitter-feeds custom-twitter-feeds
Direction: ascendingJun 07, 2024
Custom Twitter Feeds – A Tweets Widget or X Feed Widget # CVE-2022-33974
- CVE, Research URL
- Date
- May 29, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) plugin <= 1.8.4 versions.
- Affected versions
-
max 1.8.2.
- Status
-
vulnerable
Custom Twitter Feeds – A Tweets Widget or X Feed Widget # CVE-2023-52136
- CVE, Research URL
- Date
- Jan 05, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds – A Tweets Widget or X Feed Widget.This issue affects Custom Twitter Feeds – A Tweets Widget or X Feed Widget: from n/a through 2.1.2.
- Affected versions
-
max 2.2.
- Status
-
vulnerable
Custom Twitter Feeds – A Tweets Widget or X Feed Widget # CVE-2024-0379
- CVE, Research URL
- Date
- Feb 29, 2024
- Research Description
- The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctf_auto_save_tokens function. This makes it possible for unauthenticated attackers to update the site's twitter API token and secret via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 2.2.2.
- Status
-
vulnerable
Oct 09, 2024
Custom Twitter Feeds – A Tweets Widget or X Feed Widget # CVE-2024-8983
- CVE, Research URL
- Date
- Oct 08, 2024
- Research Description
- Custom Twitter Feeds WordPress plugin before 2.2.3 is not filtering some of its settings allowing high privilege users to inject scripts.
- Affected versions
-
max 2.2.3.
- Status
-
vulnerable
Oct 25, 2024
Custom Twitter Feeds – A Tweets Widget or X Feed Widget # CVE-2024-49685
- CVE, Research URL
- Date
- Oct 31, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) allows Cross Site Request Forgery.This issue affects Custom Twitter Feeds (Tweets Widget): from n/a through 2.2.3.
- Affected versions
-
max 2.2.4.
- Status
-
vulnerable
Mar 21, 2025
Custom Twitter Feeds – A Tweets Widget or X Feed Widget # CVE-2025-1314
- CVE, Research URL
- Date
- Mar 20, 2025
- Research Description
- The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 2.3.0.
- Status
-
vulnerable
May 15, 2026
Custom Twitter Feeds – A Tweets Widget or X Feed Widget # CVE-2026-6177
- CVE, Research URL
- Date
- May 13, 2026
- Research Description
- The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
- Affected versions
-
max 2.5.5.
- Status
-
vulnerable