Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

custom_twitter_feeds

Source -

ADPNVD

CNA CVEs -

0

ADP CVEs -

1

CISA CVEs -

0

NVD CVEs -

5
Related CVEsRelated VendorsRelated AssignersReports
5Vulnerabilities found
CVE-2024-49685
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.96%
||
7 Day CHG~0.00%
Published-31 Oct, 2024 | 09:59
Updated-05 Feb, 2025 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Twitter Feeds plugin <= 2.2.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) allows Cross Site Request Forgery.This issue affects Custom Twitter Feeds (Tweets Widget): from n/a through 2.2.3.

Action-Not Available
Vendor-Smash Balloon, LLC (Smash Balloon)
Product-custom_twitter_feedsCustom Twitter Feeds (Tweets Widget)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8983
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.77%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 06:00
Updated-27 Aug, 2025 | 12:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom Twitter Feeds < 2.2.3 - Admin+ Stored XSS

Custom Twitter Feeds WordPress plugin before 2.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownSmash Balloon, LLC (Smash Balloon)
Product-custom_twitter_feedsCustom Twitter Feedscustom_twitter_feeds
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-0379
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-18.02% / 94.91%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-05 Feb, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctf_auto_save_tokens function. This makes it possible for unauthenticated attackers to update the site's twitter API token and secret via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Smash Balloon, LLC (Smash Balloon)
Product-custom_twitter_feedsCustom Twitter Feeds – A Tweets Widget or X Feed Widget
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-52136
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.97%
||
7 Day CHG~0.00%
Published-05 Jan, 2024 | 08:33
Updated-17 Jun, 2025 | 20:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Twitter Feeds (Tweets Widget) Plugin <= 2.1.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds – A Tweets Widget or X Feed Widget.This issue affects Custom Twitter Feeds – A Tweets Widget or X Feed Widget: from n/a through 2.1.2.

Action-Not Available
Vendor-Smash Balloon, LLC (Smash Balloon)
Product-custom_twitter_feedsCustom Twitter Feeds – A Tweets Widget or X Feed Widget
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-33974
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 15.32%
||
7 Day CHG~0.00%
Published-29 May, 2023 | 00:10
Updated-01 Nov, 2024 | 13:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Twitter Feeds (Tweets Widget) Plugin <= 1.8.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) plugin <= 1.8.4 versions.

Action-Not Available
Vendor-Smash Balloon, LLC (Smash Balloon)
Product-custom_twitter_feedsCustom Twitter Feeds (Tweets Widget)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)