CVE-2026-6177: XSS in Custom Twitter Feeds WordPress Plugin
Platform
wordpress
Component
custom-twitter-feeds
Fixed in
2.5.5
CVE-2026-6177 is a stored Cross-Site Scripting (XSS) vulnerability discovered in the Custom Twitter Feeds plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious scripts into cached tweet data, which are then executed when other users view the affected tweets. The vulnerability impacts versions 1.0.0 through 2.5.4 and has been resolved in version 2.5.5.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
An attacker exploiting this XSS vulnerability can execute arbitrary JavaScript code in the context of a victim's browser. This can lead to various malicious outcomes, including session hijacking, defacement of the WordPress site, redirection to phishing pages, and theft of sensitive user data. The ctfgetmore_posts AJAX action, accessible to unauthenticated users, directly outputs cached tweet data without proper HTML escaping, making it a prime target for injection. The attacker's ability to inject malicious content hinges on their ability to influence the cached tweet data, either through crafted tweets or exploiting other vulnerabilities within the plugin or WordPress itself. This vulnerability shares similarities with other XSS flaws where insufficient output encoding allows for the execution of attacker-controlled scripts.
Exploitation Context
CVE-2026-6177 was published on 2026-05-13. Its severity is rated HIGH with a CVSS score of 7.2. There is no indication of this vulnerability being on KEV or having an EPSS score at this time. Public proof-of-concept (POC) code is not yet publicly available, but the vulnerability's nature makes it likely that such code will emerge. Monitor security advisories and exploit databases for updates.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-6177 is to immediately upgrade the Custom Twitter Feeds plugin to version 2.5.5 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input in the ctfgetmore_posts AJAX action. Specifically, look for patterns indicative of JavaScript code within the tweet content. As a temporary workaround, disabling the caching of tweets within the plugin might reduce the attack surface, but this will likely impact performance. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into a tweet and verifying that it is not executed.
How to fix
Update to version 2.5.5, or a newer patched version
Frequently asked questions
What is CVE-2026-6177 — XSS in Custom Twitter Feeds WordPress Plugin?
CVE-2026-6177 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Custom Twitter Feeds plugin for WordPress versions 1.0.0 through 2.5.4. It allows attackers to inject malicious scripts into cached tweet data.
Am I affected by CVE-2026-6177 in Custom Twitter Feeds WordPress Plugin?
You are affected if you are using the Custom Twitter Feeds plugin for WordPress in versions 1.0.0 to 2.5.4. Upgrade to 2.5.5 or later to mitigate the risk.
How do I fix CVE-2026-6177 in Custom Twitter Feeds WordPress Plugin?
The recommended fix is to upgrade the Custom Twitter Feeds plugin to version 2.5.5 or later. As a temporary workaround, consider a WAF rule or disabling tweet caching.
Is CVE-2026-6177 being actively exploited?
While there is no confirmed active exploitation at this time, the vulnerability's nature makes it a likely target. Monitor security advisories and exploit databases for updates.
Where can I find the official Custom Twitter Feeds advisory for CVE-2026-6177?
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information regarding CVE-2026-6177.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...