CVE-2025-1314: 
WordPress vulnerability analysis and mitigation

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 2.2.5, discovered on March 20, 2025. The vulnerability exists due to missing or incorrect nonce validation in the ctfclearcache_admin() function (NVD).

The vulnerability is caused by improper validation of nonce tokens in the ctfclearcache_admin() function. This security flaw allows unauthenticated attackers to reset the plugin's cache via a forged request if they can trick a site administrator into performing an action such as clicking a malicious link. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) (NVD).

If exploited, this vulnerability allows attackers to force the plugin's cache to be cleared, which could potentially impact the performance and functionality of the Twitter feed on the affected website. While the impact is relatively limited since it only affects the cache, it could be used as part of a larger attack campaign to disrupt site operations (NVD).

The vulnerability has been fixed in version 2.3.0 of the Custom Twitter Feeds plugin. Site administrators are strongly recommended to update to this latest version. The update includes additional plugin hardening measures and GDPR consent plugin support (WordPress Plugin).