CVE-2025-23762

The DsgnWrks Twitter Importer plugin for WordPress versions up to and including 1.1.4 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means that input provided via parameters (likely in a URL) is not properly sanitized before being reflected back to the user.

Exploitation requires a privileged user (such as an administrator) to perform an action, such as clicking a malicious link or visiting a crafted page [1]. The attacker does not need authentication but must trick the target user into interacting with the crafted request. This makes it suitable for mass-exploit campaigns targeting WordPress sites regardless of size.

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript into the victim's browser within the context of the affected site. This can be used to redirect users to malicious sites, display advertisements, steal session cookies, or perform other actions on behalf of the authenticated user [1].

As of the publication date, no official patch has been released for the vulnerability. Users are advised to update the plugin immediately once a patched version becomes available. In the interim, site owners can apply a mitigation rule from Patchstack to block attacks [1]. If unable to update, contacting a hosting provider or web developer is recommended.