CVE-2026-6177— Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| smub | Custom Twitter Feeds – A Tweets Widget or X Feed Widget | ≤ 2.5.4 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6177
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Custom Twitter Feeds 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Custom Twitter Feeds 2.5.4及之前版本存在跨站脚本漏洞,该漏洞源于CTF_Display_Elements::get_post_text()函数输出转义不足,导致存储型跨站脚本攻击,未经身份验
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| smub | Custom Twitter Feeds – A Tweets Widget or X Feed Widget | 0 ~ 2.5.4 | - |
II. Public POCs for CVE-2026-6177
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6177
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: smub
- CVE-2026-5361
Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cr - CVE-2026-7619
Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injecti - CVE-2026-5488
ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing - CVE-2026-5464
ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Pl - CVE-2026-3177
Charitable – Donation Plugin for WordPress – Fundraising wit
Same weakness: CWE-79
- CVE-2018-25331
Zenar Content Management System Cross-Site Scripting via aja - CVE-2021-47981
Quick.CMS 6.7 Cross-Site Scripting via CSRF to Sliders Form - CVE-2021-47975
WordPress Plugin WP Learn Manager 1.1.2 Stored XSS - CVE-2021-47957
WordPress Plugin Cookie Law Bar 1.2.1 Stored XSS via clb_bar - CVE-2021-47955
CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload
V. Comments for CVE-2026-6177
No comments yet