WordPress Plugin Vulnerabilities

Custom Twitter Feeds < 2.3.0 - Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function

Description

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
custom-twitter-feeds
Fixed in 2.3.0

References

CVE
CVE-2025-1314
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/28d47605-ecb8-42cc-901a-3cf07b946877

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Kévin Mosbahi (Mika)
Verified
No
WPVDB ID
345affd0-6c26-4b44-80ec-752cf84c52c1

Timeline

Publicly Published
2025-03-19 (about 1 year ago)
Added
2025-03-19 (about 1 year ago)
Last Updated
2025-03-20 (about 1 year ago)

Other

Published
Title
Published
2025-05-19
Title
Year Make Model Search for WooCommerce < 1.0.12 - Cross-Site Request Forgery
Published
2024-04-12
Title
BEAF < 4.5.5 - Cross-Site Request Forgery to Notice Dismissal
Published
2025-04-04
Title
AI Content Creator <= 1.2.6 - Cross-Site Request Forgery
Published
2014-08-01
Title
Ultimate Auction 1.0 - Cross-Site Request Forgery (CSRF)
Published
2024-12-10
Title
WPC Order Notes for WooCommerce < 1.5.3 - Cross-Site Request Forgery to Reflected Cross-Site Scripting