The plugin did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue.
Proof of Concept
Put the following payload in the "Consumer key" setting of the plugin (/wp-admin/options-general.php?page=thinktwit):
- v < 1.6.7 : "><script>alert(/XSS/)</script>
- v < 1.7.1 : " style=animation-name:rotation onanimationstart=alert(/XSS/)//