Skip to main content

Easy Twitter Feeds CVE-2026-53736

| EUVDEUVD-2026-36137 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-10 VulnCheck GHSA-2gv2-q542-493m
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-delivered CSRF requires no attacker privileges (PR:N) but mandatory victim interaction (UI:R); integrity impact is low, limited to unauthorized post duplication with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 22:01 EUVD
Analysis Generated
Jun 10, 2026 - 21:22 vuln.today

DescriptionCVE.org

Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type.

AnalysisAI

Cross-site request forgery in the Easy Twitter Feeds WordPress plugin (versions before 1.2.13) allows unauthenticated remote attackers to trigger unauthorized post duplication by tricking an authenticated site user into visiting a crafted URL. The duplicate_post action handler fails to verify WordPress nonces, meaning any authenticated user's browser session can be silently weaponized to clone posts of any post type without their knowledge. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor-released fix is version 1.2.13.

Technical ContextAI

Easy Twitter Feeds is a WordPress plugin developed by bplugins (CPE: cpe:2.3:a:bplugins:easy_twitter_feeds:*:*:*:*:*:*:*:*) that embeds Twitter feed content into WordPress sites. WordPress relies on cryptographic nonces - time-limited, user-bound tokens - as its primary CSRF defense for admin actions. CWE-352 (Cross-Site Request Forgery) identifies the root cause: the duplicate_post action handler processes the request without validating a nonce, meaning the server cannot distinguish a legitimate administrator action from one forged by an external page. Because WordPress AJAX and form submissions carrying a valid authenticated session cookie are trusted by default when nonces are absent, any browser tab opened by a logged-in user can be used as an unwitting forger.

RemediationAI

Update Easy Twitter Feeds to version 1.2.13 or later via the WordPress plugin dashboard or by downloading directly from https://wordpress.org/plugins/easy-twitter-feeds/. This version adds proper WordPress nonce verification to the duplicate_post action handler, closing the CSRF vector. If immediate patching is not possible, a compensating control is to restrict access to the WordPress admin dashboard using IP allowlisting or VPN, which prevents unauthenticated network actors from delivering the crafted request to a logged-in administrator's session; note that this mitigation does not help if the authenticated user accesses WordPress from an untrusted network. Disabling the duplicate post feature entirely until the patch is applied is another option, though this requires direct code-level or filter-based modification. Enforcing strict Content Security Policy headers does not mitigate CSRF and should not be relied upon as a workaround here.

Share

CVE-2026-53736 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy