WP-Safety

Custom Twitter Feeds – A Tweets Widget or X Feed Widget Security & Risk Analysis

wordpress.org/plugins/custom-twitter-feeds

Display X posts (Twitter tweets) from any public user account in a clean, attractive looking feed that updates weekly.

100K active installs v2.5.4 PHP 7.4+ WP 5.3+ Updated Mar 12, 2026
custom-twitter-feedtwittertwitter-feedtwitter-widgetx-feed
97
A · Safe
CVEs total7
Unpatched0
Last CVEMar 19, 2025
Plugin page Download
Safety Verdict

Is Custom Twitter Feeds – A Tweets Widget or X Feed Widget Safe to Use in 2026?

Generally Safe

Score 97/100

Custom Twitter Feeds – A Tweets Widget or X Feed Widget has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Mar 19, 2025Updated 21d ago
Risk Assessment

The custom-twitter-feeds plugin version 2.5.4 exhibits a mixed security posture. While it shows some positive signs like the absence of dangerous functions and a reasonable percentage of SQL queries using prepared statements, several areas raise concerns. The presence of 12 AJAX handlers without authentication checks is a significant risk, potentially allowing unauthorized users to interact with sensitive plugin functionality. Furthermore, taint analysis revealed 6 flows with unsanitized paths, including 2 of high severity, indicating potential vulnerabilities if these paths are exploited with malicious input. The plugin's vulnerability history is also noteworthy, with 7 known medium-severity CVEs primarily related to Cross-Site Request Forgery and Cross-Site Scripting. Although there are currently no unpatched CVEs, this pattern suggests a recurring tendency for these types of vulnerabilities to emerge, which warrants attention for ongoing secure development practices. In conclusion, while the plugin has strengths in its avoidance of dangerous functions and partial use of prepared statements, the significant number of unprotected AJAX endpoints, high-severity taint flows, and past vulnerability patterns necessitate caution and thorough auditing.

Key Concerns

  • 12 AJAX handlers without authentication checks
  • 2 high severity taint flows with unsanitized paths
  • 6 flows with unsanitized paths
  • 7 known medium severity CVEs in vulnerability history
Vulnerabilities
7

Custom Twitter Feeds – A Tweets Widget or X Feed Widget Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2023
2023
3 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
7

7 total CVEs

CVE-2025-1314medium · 4.3Cross-Site Request Forgery (CSRF)

Custom Twitter Feeds <= 2.2.5 - Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function

Mar 19, 2025 Patched in 2.3.0 (1d)
CVE-2024-49685medium · 4.3Cross-Site Request Forgery (CSRF)

Custom Twitter Feeds (Tweets Widget) <= 2.2.3 - Cross-Site Request Forgery

Oct 21, 2024 Patched in 2.2.4 (10d)
CVE-2024-8983medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 17, 2024 Patched in 2.2.3 (32d)
CVE-2024-0379medium · 4.3Cross-Site Request Forgery (CSRF)

Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 - Cross-Site Request Forgery to Plugin Options Update

Feb 6, 2024 Patched in 2.2.2 (175d)
CVE-2023-52136medium · 4.3Cross-Site Request Forgery (CSRF)

Custom Twitter Feeds (Tweets Widget) <= 2.1.2 - Cross-Site Request Forgery

Dec 28, 2023 Patched in 2.2 (26d)
CVE-2022-33974medium · 4.3Cross-Site Request Forgery (CSRF)

Custom Twitter Feeds (Tweets Widget) <= 1.8.4 - Cross-Site Request Forgery

May 25, 2023 Patched in 2.0 (243d)
WF-0efff314-b14f-4af4-b225-ba7e41d01b2e-custom-twitter-feedsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Plugins (Various Versions) - Reflected Cross-Site Scripting

Jul 20, 2021 Patched in 1.8.2 (917d)
Code Analysis
Analyzed Mar 16, 2026

Custom Twitter Feeds – A Tweets Widget or X Feed Widget Code Analysis

Dangerous Functions
0
Raw SQL Queries
65
77 prepared
Unescaped Output
173
319 escaped
Nonce Checks
38
Capability Checks
49
File Operations
9
External Requests
15
Bundled Libraries
0

SQL Query Safety

54% prepared142 total queries

Output Escaping

65% escaped492 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

14 flows6 with unsanitized paths
access_token_button (inc\CtfAdmin.php:105)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
12 unprotected

Custom Twitter Feeds – A Tweets Widget or X Feed Widget Attack Surface

Entry Points49
Unprotected12

AJAX Handlers 47

noprivwp_ajax_ctf_get_more_postscustom-twitter-feed.php:486
authwp_ajax_ctf_get_more_postscustom-twitter-feed.php:487
authwp_ajax_ctf_do_locatorcustom-twitter-feed.php:519
noprivwp_ajax_ctf_do_locatorcustom-twitter-feed.php:520
authwp_ajax_ctf_clear_cache_admincustom-twitter-feed.php:849
authwp_ajax_ctf_deactivate_addoninc\Admin\addon-functions.php:38
authwp_ajax_ctf_activate_addoninc\Admin\addon-functions.php:77
authwp_ajax_ctf_install_addoninc\Admin\addon-functions.php:180
authwp_ajax_ctf_check_licenseinc\Admin\CTF_Admin_Notices.php:37
authwp_ajax_ctf_dismiss_license_noticeinc\Admin\CTF_Admin_Notices.php:38
authwp_ajax_ctf_dismiss_upgrade_noticeinc\Admin\CTF_Admin_Notices.php:39
authwp_ajax_ctf_save_settingsinc\Admin\CTF_Global_Settings.php:53
authwp_ajax_ctf_activate_licenseinc\Admin\CTF_Global_Settings.php:54
authwp_ajax_ctf_deactivate_licenseinc\Admin\CTF_Global_Settings.php:55
authwp_ajax_ctf_test_connectioninc\Admin\CTF_Global_Settings.php:56
authwp_ajax_ctf_recheck_connectioninc\Admin\CTF_Global_Settings.php:57
authwp_ajax_ctf_import_settings_jsoninc\Admin\CTF_Global_Settings.php:58
authwp_ajax_ctf_export_settings_jsoninc\Admin\CTF_Global_Settings.php:59
authwp_ajax_ctf_clear_cache_settingsinc\Admin\CTF_Global_Settings.php:60
authwp_ajax_ctf_clear_persistent_cacheinc\Admin\CTF_Global_Settings.php:61
authwp_ajax_ctf_clear_twittercard_cacheinc\Admin\CTF_Global_Settings.php:62
authwp_ajax_ctf_clear_image_resize_cacheinc\Admin\CTF_Global_Settings.php:63
authwp_ajax_ctf_dpa_resetinc\Admin\CTF_Global_Settings.php:64
authwp_ajax_ctf_review_notice_consent_updateinc\Admin\CTF_New_User.php:39
authwp_ajax_ctf_dashboard_notification_dismissinc\Admin\CTF_Notifications.php:87
authwp_ajax_ctf_export_settings_jsoninc\Admin\CTF_Support.php:50
noprivwp_ajax_ctf_run_one_click_upgradeinc\Admin\CTF_Upgrader.php:42
authwp_ajax_ctf_maybe_upgrade_redirectinc\Admin\CTF_Upgrader.php:43
authwp_ajax_ctf_lite_dismissinc\admin-hooks.php:383
authwp_ajax_ctf_feed_saver_manager_builder_updateinc\Builder\CTF_Feed_Saver_Manager.php:27
authwp_ajax_ctf_feed_saver_manager_get_feed_settingsinc\Builder\CTF_Feed_Saver_Manager.php:28
authwp_ajax_ctf_feed_saver_manager_get_feed_list_pageinc\Builder\CTF_Feed_Saver_Manager.php:29
authwp_ajax_ctf_feed_saver_manager_get_locations_pageinc\Builder\CTF_Feed_Saver_Manager.php:30
authwp_ajax_ctf_feed_saver_manager_delete_feedsinc\Builder\CTF_Feed_Saver_Manager.php:31
authwp_ajax_ctf_feed_saver_manager_duplicate_feedinc\Builder\CTF_Feed_Saver_Manager.php:32
authwp_ajax_ctf_feed_saver_manager_clear_single_feed_cacheinc\Builder\CTF_Feed_Saver_Manager.php:33
authwp_ajax_ctf_feed_saver_manager_importerinc\Builder\CTF_Feed_Saver_Manager.php:34
authwp_ajax_ctf_feed_saver_manager_fly_previewinc\Builder\CTF_Feed_Saver_Manager.php:35
authwp_ajax_ctf_feed_saver_manager_retrieve_commentsinc\Builder\CTF_Feed_Saver_Manager.php:36
authwp_ajax_ctf_feed_saver_manager_search_username_listsinc\Builder\CTF_Feed_Saver_Manager.php:39
authwp_ajax_ctf_feed_saver_manager_check_twitter_list_by_idinc\Builder\CTF_Feed_Saver_Manager.php:40
authwp_ajax_ctf_feed_saver_manager_connect_manual_accountinc\Builder\CTF_Feed_Saver_Manager.php:41
authwp_ajax_ctf_feed_saver_manager_delete_accountinc\Builder\CTF_Feed_Saver_Manager.php:42
authwp_ajax_ctf_feed_saver_manager_recache_feedinc\Builder\CTF_Feed_Saver_Manager.php:45
authwp_ajax_ctf_background_processinginc\ctf-functions.php:222
noprivwp_ajax_ctf_background_processinginc\ctf-functions.php:223
authwp_ajax_ctf_usage_opt_in_or_outinc\notices.php:130

Shortcodes 2

[custom-twitter-feed] custom-twitter-feed.php:441
[custom-twitter-feeds] custom-twitter-feed.php:442
WordPress Hooks 74
actionadmin_noticescustom-twitter-feed.php:128
actionplugins_loadedcustom-twitter-feed.php:192
actionwp_loadedcustom-twitter-feed.php:387
filterctf_tweet_textcustom-twitter-feed.php:719
filterctf_tweet_textcustom-twitter-feed.php:737
filterctf_quoted_tweet_textcustom-twitter-feed.php:738
actionctf_cron_jobcustom-twitter-feed.php:823
actionwp_enqueue_scriptscustom-twitter-feed.php:907
actionwp_footercustom-twitter-feed.php:925
actionwp_headcustom-twitter-feed.php:943
actionadmin_enqueue_scriptscustom-twitter-feed.php:1003
filtercron_schedulescustom-twitter-feed.php:1081
actioninitcustom-twitter-feed.php:1128
actionadmin_menuinc\Admin\CTF_About_Us.php:44
actionin_admin_headerinc\Admin\CTF_Admin_Notices.php:34
actionctf_admin_noticesinc\Admin\CTF_Admin_Notices.php:35
actionadmin_noticesinc\Admin\CTF_Admin_Notices.php:36
actionadmin_menuinc\Admin\CTF_Global_Settings.php:50
filteradmin_footer_textinc\Admin\CTF_Global_Settings.php:51
filterupdate_footerinc\Admin\CTF_Global_Settings.php:707
actionadmin_initinc\Admin\CTF_New_User.php:38
actionadmin_enqueue_scriptsinc\Admin\CTF_Notifications.php:80
actionctf_admin_noticesinc\Admin\CTF_Notifications.php:82
actionctf_notification_updateinc\Admin\CTF_Notifications.php:85
actionadmin_menuinc\Admin\CTF_Support.php:49
filterctf_admin_search_labelinc\admin-hooks.php:2
filterctf_admin_search_whatisinc\admin-hooks.php:7
filterctf_admin_validate_search_textinc\admin-hooks.php:12
filterctf_admin_validate_usertimeline_textinc\admin-hooks.php:27
filterctf_admin_validate_include_repliesinc\admin-hooks.php:36
filterctf_admin_set_include_repliesinc\admin-hooks.php:41
filterctf_admin_set_include_retweetsinc\admin-hooks.php:46
filterctf_admin_feed_type_listinc\admin-hooks.php:67
actionctf_admin_upgrade_noteinc\admin-hooks.php:72
actionctf_admin_feed_settings_radio_extrainc\admin-hooks.php:79
actionctf_admin_feed_settings_search_extrainc\admin-hooks.php:89
filterctf_admin_customize_quick_linksinc\admin-hooks.php:98
filterctf_admin_style_quick_linksinc\admin-hooks.php:108
actionctf_admin_endpointsinc\admin-hooks.php:127
filterctf_admin_show_hide_listinc\admin-hooks.php:170
actionctf_admin_style_optioninc\admin-hooks.php:236
actionctf_admin_customize_optioninc\admin-hooks.php:267
actionctf_admin_customize_optioninc\admin-hooks.php:285
actionctf_admin_add_settings_sections_to_customizeinc\admin-hooks.php:349
actionctf_admin_add_settings_sections_to_customizeinc\admin-hooks.php:359
actionadmin_print_scriptsinc\admin-hooks.php:434
actioninitinc\blocks\class-ctf-blocks.php:35
actionenqueue_block_editor_assetsinc\blocks\class-ctf-blocks.php:36
actionadmin_enqueue_scriptsinc\Builder\CTF_Tooltip_Wizard.php:47
actionadmin_footerinc\Builder\CTF_Tooltip_Wizard.php:48
actionctf_feed_updateinc\ctf-functions.php:242
actionctf_before_feed_endinc\ctf-functions.php:251
actionctf_before_feed_endinc\ctf-functions.php:330
actionadmin_menuinc\CtfAdmin.php:21
actionadmin_initinc\CtfAdmin.php:22
actionwp_footerinc\CtfFeed.php:157
actionwp_footerinc\CtfFeed.php:176
filterwt_cli_third_party_scriptsinc\CTF_GDPR_Integrations.php:25
filtercmplz_known_script_tagsinc\CTF_GDPR_Integrations.php:26
actioninitinc\CTF_Tracking.php:25
filtercron_schedulesinc\CTF_Tracking.php:26
actionctf_usage_tracking_croninc\CTF_Tracking.php:27
actionadmin_initinc\CTF_Tracking.php:28
filtersb_analytics_filter_top_postsinc\Integrations\Analytics\SB_Analytics.php:36
filtersb_analytics_filter_profile_detailsinc\Integrations\Analytics\SB_Analytics.php:44
filtersb_analytics_filter_feed_listinc\Integrations\Analytics\SB_Analytics.php:52
actionadmin_noticesinc\notices.php:69
actionadmin_noticesinc\notices.php:72
actionctf_smash_twitter_feed_updateinc\SmashTwitter\CronUpdaterManager.php:40
actionctf_smash_twitter_additional_batchinc\SmashTwitter\CronUpdaterManager.php:41
actionctf_before_feed_startinc\SmashTwitter\Services\ErrorReporterService.php:14
actionctf_before_feed_startinc\SmashTwitter\Services\ErrorReporterService.php:15
actionwidgets_initinc\widget.php:60
filterwidget_textinc\widget.php:63

Scheduled Events 8

ctf_feed_update
ctf_usage_tracking_cron
ctf_cron_additional_batch
ctf_feed_update
ctf_feed_update
ctf_feed_update
ctf_feed_update
ctf_smash_twitter_feed_update
Maintenance & Trust

Custom Twitter Feeds – A Tweets Widget or X Feed Widget Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads3.4M

Community Trust

Rating96/100
Number of ratings399
Active installs100K
Alternatives

Custom Twitter Feeds – A Tweets Widget or X Feed Widget Alternatives

Ultimate Twitter Feeds

Ultimate Twitter Feeds

ultimate-twitter-feeds

A
85

Ultimate Twitter Feeds allows you to display customizable Twitter Tweets from any user timeline, any user Twitter List and single Tweet on your websi &hellip;

400 No CVEs
Easy Twitter Feed Widget Plugin

Easy Twitter Feed Widget Plugin

easy-twitter-feed-widget

A
85

Add twitter feeds on your WordPress site by using the Easy Twitter Feed Widget plugin.

10K No CVEs
WP Twitter Feeds

WP Twitter Feeds

wp-twitter-feeds

A
85

WP Twitter Feeds - A simple widget which lets you add your latest tweets in just a few clicks on your website.

3K No CVEs
WP Twitter widget by rYokiNG

WP Twitter widget by rYokiNG

wp-twitter-widget-by-ryoking

A
85

free twitter widget for wordpress with api 1.1.

70 No CVEs
Customize Feeds for Twitter

Customize Feeds for Twitter

twitter-tweets

A
100

Customize Feeds for Twitter plugin for WordPress. You can use this to display real time Twitter feeds on any where on your website by using shortcode &hellip;

4K No CVEs
Developer Profile

Custom Twitter Feeds – A Tweets Widget or X Feed Widget Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect Custom Twitter Feeds – A Tweets Widget or X Feed Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/custom-twitter-feeds/css/ctf-main.css/wp-content/plugins/custom-twitter-feeds/css/ctf-style.css/wp-content/plugins/custom-twitter-feeds/js/ctf-scripts.min.js/wp-content/plugins/custom-twitter-feeds/css/animate.min.css/wp-content/plugins/custom-twitter-feeds/css/sb-font-icons.css/wp-content/plugins/custom-twitter-feeds/css/sb-font-icons.css?ver=2.5.4/wp-content/plugins/custom-twitter-feeds/js/ctf-scripts.min.js?ver=2.5.4
Script Paths
/wp-content/plugins/custom-twitter-feeds/js/ctf-scripts.min.js
Version Parameters
custom-twitter-feeds/css/ctf-main.css?ver=custom-twitter-feeds/css/ctf-style.css?ver=custom-twitter-feeds/js/ctf-scripts.min.js?ver=custom-twitter-feeds/css/animate.min.css?ver=custom-twitter-feeds/css/sb-font-icons.css?ver=

HTML / DOM Fingerprints

CSS Classes
ctf-widgetctf-widget-titlectf-tweets-wrapctf-tweetctf-itemctf-tweet-textctf-tweet-metactf-tweet-actions+23 more
HTML Comments
<!-- Custom Twitter Feeds by Smash Balloon --><!-- Smash Balloon Custom Twitter Feed --><!--End Smash Balloon Custom Twitter Feed -->
Data Attributes
data-ctf-id
JS Globals
ctfSingleFeedAsyncInitctf_datactf_enqueue_scripts
REST Endpoints
/wp-json/ctf/v1/feed/
Shortcode Output
[custom-twitter-feed]
FAQ

Frequently Asked Questions about Custom Twitter Feeds – A Tweets Widget or X Feed Widget