Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered CSRF requires no attacker privileges (PR:N) but mandatory victim interaction (UI:R); integrity impact is low, limited to unauthorized post duplication with no confidentiality or availability loss.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type.
AnalysisAI
Cross-site request forgery in the Easy Twitter Feeds WordPress plugin (versions before 1.2.13) allows unauthenticated remote attackers to trigger unauthorized post duplication by tricking an authenticated site user into visiting a crafted URL. The duplicate_post action handler fails to verify WordPress nonces, meaning any authenticated user's browser session can be silently weaponized to clone posts of any post type without their knowledge. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor-released fix is version 1.2.13.
Technical ContextAI
Easy Twitter Feeds is a WordPress plugin developed by bplugins (CPE: cpe:2.3:a:bplugins:easy_twitter_feeds:*:*:*:*:*:*:*:*) that embeds Twitter feed content into WordPress sites. WordPress relies on cryptographic nonces - time-limited, user-bound tokens - as its primary CSRF defense for admin actions. CWE-352 (Cross-Site Request Forgery) identifies the root cause: the duplicate_post action handler processes the request without validating a nonce, meaning the server cannot distinguish a legitimate administrator action from one forged by an external page. Because WordPress AJAX and form submissions carrying a valid authenticated session cookie are trusted by default when nonces are absent, any browser tab opened by a logged-in user can be used as an unwitting forger.
RemediationAI
Update Easy Twitter Feeds to version 1.2.13 or later via the WordPress plugin dashboard or by downloading directly from https://wordpress.org/plugins/easy-twitter-feeds/. This version adds proper WordPress nonce verification to the duplicate_post action handler, closing the CSRF vector. If immediate patching is not possible, a compensating control is to restrict access to the WordPress admin dashboard using IP allowlisting or VPN, which prevents unauthenticated network actors from delivering the crafted request to a logged-in administrator's session; note that this mitigation does not help if the authenticated user accesses WordPress from an untrusted network. Disabling the duplicate post feature entirely until the patch is applied is another option, though this requires direct code-level or filter-based modification. Enforcing strict Content Security Policy headers does not mitigate CSRF and should not be relied upon as a workaround here.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36137
GHSA-2gv2-q542-493m