CVE-2025-48321
BaseFortify
Publication date: 2025-08-28
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dyiosah | ultimate_twitter_profile_widget | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the Ultimate Twitter Profile Widget WordPress plugin (version 1.0 and earlier) that allows an attacker to perform Stored Cross-Site Scripting (XSS). An attacker can trick authenticated users with higher privileges into executing unwanted actions, which can lead to the attacker injecting malicious scripts that persist on the site. [1]
How can this vulnerability impact me? :
The vulnerability can compromise your site by allowing attackers to execute malicious scripts via stored XSS, potentially leading to unauthorized actions, data theft, or site defacement. Since the plugin is abandoned with no official fix, the risk remains unless mitigated by virtual patching or replacing the plugin. Simply deactivating the plugin does not fully remove the risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Ultimate Twitter Profile Widget plugin version 1.0 or earlier is installed and active on your WordPress site. Since the vulnerability allows CSRF leading to Stored XSS, monitoring for unusual or unauthorized changes in the widget settings or unexpected script injections in the site content can be indicators. There are no specific commands provided for detection, but checking the plugin version can be done via WordPress CLI with: `wp plugin list` to see if the vulnerable plugin is installed and active. Additionally, monitoring HTTP requests for suspicious CSRF attempts or unexpected POST requests to the widget's endpoints may help. However, no direct detection commands are specified. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the Ultimate Twitter Profile Widget plugin with a secure alternative, as the plugin is abandoned and has no official fix. Simply deactivating the plugin does not fully eliminate the risk unless a virtual patch (vPatch) is applied. Patchstack offers virtual patching to quickly mitigate this vulnerability. Users are also advised to seek professional incident response if their sites are compromised. Avoid relying solely on plugin-based malware scanners for protection. [1]