WordPress Plugin Vulnerabilities

Tracked Tweets <= 0.2.9 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have SCRF check when updating its settings, as well as does not sanitise and escape them when outputting them back. This could allow attackers to make a logged in admin update them to arbitrary values, including XSS payloads, via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
tracked-tweets
No known fix

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
9478fd74-1729-41ca-acb5-37ee92cef649

Timeline

Publicly Published
2022-04-25 (about 4 years ago)
Added
2022-04-25 (about 4 years ago)
Last Updated
2022-04-25 (about 4 years ago)

Other

Published
Title
Published
2025-01-16
Title
W3SPEEDSTER <= 7.33 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-10-17
Title
Theme Editor < 3.1 - Cross-Site Request Forgery to Remote Code Execution
Published
2024-04-04
Title
Classified Listing < 3.0.5 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account
Published
2022-05-06
Title
Remove CPT Base < 5.9 - CPT Deletion via CSRF
Published
2025-04-04
Title
Freetobook Responsive Widget < 1.1.1 - Cross-Site Request Forgery