WordPress Plugin Vulnerabilities

Fetch Tweets <= 2.6.4 - Reflected Cross-Site Scripting

Description

The plugin does not escape some parameters before outputting them back in attributes in an admin page, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
fetch-tweets
No known fix

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
ead093a7-fd19-40d8-b34a-0d3e8a69a1f4

Timeline

Publicly Published
2021-09-21 (about 4 years ago)
Added
2021-09-21 (about 4 years ago)
Last Updated
2021-09-21 (about 4 years ago)

Other

Published
Title
Published
2023-12-19
Title
Menu Image, Icons made easy < 3.11 - Admin+ Stored XSS
Published
2026-01-22
Title
WP DSGVO Tools (GDPR) < 3.1.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'lw_content_block' Shortcode
Published
2024-03-12
Title
Shariff Wrapper < 4.6.10 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-02-05
Title
Woocommerce Vietnam Checkout < 2.0.8 - Authenticated (Shop manager+) Stored Cross-Site Scripting
Published
2023-05-02
Title
Login Rebuilder < 2.8.1 - Admin+ Stored XSS