The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
The Custom Twitter Feeds WordPress plugin versions up to 2.5.4 contain a stored cross-site scripting vulnerability in the ctf_get_more_posts AJAX action that fails to properly escape cached tweet data. Unauthenticated attackers can inject malicious scripts that execute when users access the vulnerable endpoint, potentially compromising user sessions and data.
تحتوي إضافة Custom Twitter Feeds للإصدارات حتى 2.5.4 على ثغرة XSS مخزنة في دالة CTF_Display_Elements::get_post_text() حيث يتم إخراج بيانات التغريدات المخزنة مؤقتاً دون تحمية HTML مناسبة. يمكن للمهاجمين غير المصرحين حقن محتوى ضار يتم تنفيذه عند وصول المستخدمين إلى نقطة النهاية المعرضة للخطر.
The Custom Twitter Feeds WordPress plugin versions up to 2.5.4 contain a stored cross-site scripting vulnerability in the ctf_get_more_posts AJAX action that fails to properly escape cached tweet data. Unauthenticated attackers can inject malicious scripts that execute when users access the vulnerable endpoint, potentially compromising user sessions and data.
Update the Custom Twitter Feeds plugin to version 2.5.5 or later immediately. If immediate patching is not possible, disable the plugin or restrict access to the ctf_get_more_posts AJAX endpoint using Web Application Firewall rules. Implement Content Security Policy headers to mitigate XSS impact.
قم بتحديث إضافة Custom Twitter Feeds إلى الإصدار 2.5.5 أو أحدث فوراً. إذا لم يكن التحديث ممكناً، قم بتعطيل الإضافة أو تقييد الوصول إلى نقطة AJAX ctf_get_more_posts باستخدام قواعد جدار الحماية. قم بتطبيق رؤوس Content Security Policy للتخفيف من تأثير XSS.