CVE-2025-48321
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Cross-Site Request Forgery (CSRF) vulnerability in dyiosah Ultimate twitter profile widget ultimate-twitter-profile-widget allows Stored XSS.This issue affects Ultimate twitter profile widget: from n/a through <= 1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-48321
EUVD
EUVD-2025-26038
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dyiosah ultimate_twitter_profile_widget *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) in the Ultimate Twitter Profile Widget WordPress plugin (version 1.0 and earlier) that allows an attacker to perform Stored Cross-Site Scripting (XSS). An attacker can trick authenticated users with higher privileges into executing unwanted actions, which can lead to the attacker injecting malicious scripts that persist on the site. [1]

Impact Analysis

The vulnerability can compromise your site by allowing attackers to execute malicious scripts via stored XSS, potentially leading to unauthorized actions, data theft, or site defacement. Since the plugin is abandoned with no official fix, the risk remains unless mitigated by virtual patching or replacing the plugin. Simply deactivating the plugin does not fully remove the risk. [1]

Detection Guidance

Detection of this vulnerability involves identifying if the Ultimate Twitter Profile Widget plugin version 1.0 or earlier is installed and active on your WordPress site. Since the vulnerability allows CSRF leading to Stored XSS, monitoring for unusual or unauthorized changes in the widget settings or unexpected script injections in the site content can be indicators. There are no specific commands provided for detection, but checking the plugin version can be done via WordPress CLI with: `wp plugin list` to see if the vulnerable plugin is installed and active. Additionally, monitoring HTTP requests for suspicious CSRF attempts or unexpected POST requests to the widget's endpoints may help. However, no direct detection commands are specified. [1]

Mitigation Strategies

Immediate mitigation steps include replacing the Ultimate Twitter Profile Widget plugin with a secure alternative, as the plugin is abandoned and has no official fix. Simply deactivating the plugin does not fully eliminate the risk unless a virtual patch (vPatch) is applied. Patchstack offers virtual patching to quickly mitigate this vulnerability. Users are also advised to seek professional incident response if their sites are compromised. Avoid relying solely on plugin-based malware scanners for protection. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-48321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart