CVE-2026-6177

Name of the Vulnerable Software and Affected Versions Custom Twitter Feeds versions prior to 2.5.5

Description The Custom Twitter Feeds plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the CTF Display Elements::get post text() function fails to properly escape output when rendering cached tweet text. Specifically, the 'ctf get more posts' AJAX action is accessible to unauthenticated users and outputs cached tweet data using nl2br() without HTML escaping. An attacker can inject malicious HTML or JavaScript into the cached tweet data, which then executes when an unauthenticated user accesses the affected endpoint.

Recommendations Update the plugin to a version later than 2.5.4. As a temporary workaround, restrict access to the 'ctf get more posts' AJAX action to minimize the risk of exploitation.