CVE-2026-1911: Twitter Feeds WordPress Plugin XSS Flaw

CVE-2026-1911 Overview

The Twitter Feeds plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the tweet_title parameter within the TwitterFeeds shortcode. All versions up to and including 1.0.0 are affected due to insufficient input sanitization and output escaping. This vulnerability enables authenticated attackers with Contributor-level access or above to inject arbitrary web scripts into pages that execute whenever a user accesses the compromised page.

Critical Impact

Authenticated attackers can persistently inject malicious JavaScript that executes in the browsers of all users viewing affected pages, potentially leading to session hijacking, credential theft, or website defacement.

Affected Products

• Twitter Feeds plugin for WordPress versions up to and including 1.0.0
• WordPress installations with the Twitter Feeds plugin enabled
• Sites allowing Contributor-level or higher user access

Discovery Timeline

• March 21, 2026 - CVE-2026-1911 published to NVD
• March 23, 2026 - Last updated in NVD database

Technical Details for CVE-2026-1911

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability (CWE-79) exists in the Twitter Feeds WordPress plugin's shortcode processing functionality. The vulnerability originates from the improper handling of user-supplied input in the tweet_title parameter when processing the TwitterFeeds shortcode. Because the plugin fails to adequately sanitize input and escape output, attackers can embed persistent malicious scripts within WordPress pages.

Unlike Reflected XSS, this Stored XSS vulnerability persists in the database, meaning the malicious payload executes every time any user loads the affected page. The attack is network-accessible and requires no user interaction beyond visiting the compromised page. While the attacker needs at least Contributor-level access to exploit this vulnerability, the impact extends to all site visitors including administrators.

Root Cause

The root cause lies in the plugin's failure to implement proper input sanitization and output escaping mechanisms for the tweet_title shortcode parameter. The vulnerable code at line 490 of twitter-feeds.php directly outputs user-controlled data without adequate encoding, allowing HTML and JavaScript injection. WordPress provides functions like esc_html(), esc_attr(), and wp_kses() for sanitization, but these were not properly implemented in the affected versions.

Attack Vector

The attack vector is network-based, requiring an authenticated user with at least Contributor-level privileges. The attacker crafts a malicious TwitterFeeds shortcode with a payload in the tweet_title parameter and embeds it within a post or page. When saved, the malicious script is stored in the WordPress database. Subsequently, any user viewing the page—including administrators—triggers the script execution in their browser context.

The vulnerability could be exploited to steal session cookies, redirect users to phishing sites, modify page content, or perform actions on behalf of authenticated users. Because WordPress Contributor accounts can create posts pending review, the attack may bypass some editorial controls depending on site configuration.

Detection Methods for CVE-2026-1911

Indicators of Compromise

• Unusual JavaScript code or <script> tags within WordPress posts containing the TwitterFeeds shortcode
• Unexpected tweet_title parameter values containing HTML entities, event handlers, or script references
• Browser console errors or unexpected network requests when viewing pages with Twitter Feeds shortcodes
• User reports of suspicious redirects or pop-ups on pages featuring Twitter feeds

Detection Strategies

• Review WordPress database for posts containing TwitterFeeds shortcodes with suspicious tweet_title parameter values
• Implement Web Application Firewall (WAF) rules to detect XSS payloads in shortcode parameters
• Enable WordPress audit logging to track shortcode usage and modifications by Contributor-level users
• Scan content for common XSS patterns including javascript:, onerror=, onload=, and <script> tags

Monitoring Recommendations

• Deploy endpoint detection and response (EDR) solutions to monitor for browser-based exploitation attempts
• Configure Content Security Policy (CSP) headers to restrict inline script execution and report violations
• Monitor WordPress user activity logs for unusual content creation patterns from Contributor accounts
• Implement real-time alerting for JavaScript injection signatures in database content

How to Mitigate CVE-2026-1911

Immediate Actions Required

• Update the Twitter Feeds plugin to the latest patched version when available
• Audit all existing posts and pages using the TwitterFeeds shortcode for malicious content
• Review and restrict Contributor-level access until the vulnerability is addressed
• Consider temporarily disabling the Twitter Feeds plugin if no patch is available

Patch Information

A patched version of the Twitter Feeds plugin should be obtained from the official WordPress plugin repository. Review the WordPress Plugin Source Code for the specific vulnerable code location. Monitor the Wordfence Vulnerability Report for updated remediation guidance.

Workarounds

• Disable the Twitter Feeds plugin entirely until a security patch is released
• Restrict user registration and limit Contributor-level account creation
• Implement server-side input validation for shortcode parameters using WordPress hooks
• Deploy a WAF with rules configured to block XSS payloads in POST requests to WordPress

# WordPress CLI commands to identify potentially affected content
# Search for TwitterFeeds shortcodes in posts
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[TwitterFeeds%tweet_title%' AND post_status = 'publish'"

# Review user capabilities for contributor role
wp cap list contributor