Easy Twitter Feed < 1.2 - Contributor+ Stored Cross-Site Scripting

Vulnerability

The Easy Twitter Feed WordPress plugin versions before 1.2 fail to sanitise or validate parameters passed to its shortcode [1]. This allows any user with at least the Contributor role to inject arbitrary JavaScript or HTML through the shortcode attributes. The payload is stored and executed every time the page containing the malicious shortcode is viewed [1].

Exploitation

An attacker who is an authenticated user with a Contributor role or higher can insert a crafted shortcode (e.g., [easy_twitter_feed parameter="]") into any post or page they can edit [1]. When an administrator or other visitor loads that page, the browser executes the attacker's payload. No additional privileges or user interaction beyond visiting the affected page is required for the stored payload to trigger.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the WordPress site [1]. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the browser of any user who views the compromised page, but because the payload is stored, every visitor is affected.

Mitigation

The vulnerability is fixed in version 1.2 of the Easy Twitter Feed plugin, released on 2021-09-20 [1]. Users should immediately update to version 1.2 or later. No workaround is available for older versions; upgrading is the only mitigation. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.