Custom Twitter Feeds WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Custom Twitter Feeds plugin for WordPress, affecting versions through 2.5.4. The issue arises from inadequate output escaping in the 'CTF_Display_Elements::get_post_text()' function, which handles cached tweet text. The vulnerability is exploitable via the 'ctf_get_more_posts' AJAX action, accessible to unauthenticated users. This action outputs cached tweet data without proper HTML escaping, using 'nl2br()' instead. If an attacker can inject malicious content into the cached tweet data—either by tweeting harmful links that are then cached or through other vulnerabilities—their scripts will execute when the endpoint is accessed. This allows for the injection of arbitrary web scripts that run when users visit the affected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, first, tweet content that includes malicious HTML or JavaScript. Ensure that this content is cached by the site's feed configuration. Then, access the 'ctf_get_more_posts' AJAX action as an unauthenticated user. The cached tweet will be outputted without HTML escaping, executing the injected scripts.

Remediation

Users are advised to update the Custom Twitter Feeds plugin to version 2.5.5 or later.