Gidget Smith

**Name of the Vulnerable Software and Affected Versions** Custom Twitter Feeds versions prior to 2.5.5 **Description** The Custom Twitter Feeds plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `CTF Display Elements::get post text()` function fails to properly escape output when rendering cached tweet text. Specifically, the 'ctf get more posts' AJAX action is accessible to unauthenticated users and outputs cached tweet data using `nl2br()` without HTML escaping. An attacker can inject malicious HTML or JavaScript into the cached tweet data, which then executes when an unauthenticated user accesses the affected endpoint. **Recommendations** Update the plugin to a version later than 2.5.4. As a temporary workaround, restrict access to the 'ctf get more posts' AJAX action to minimize the risk of exploitation.