WordPress Plugin Vulnerabilities

Custom Twitter Feeds (Tweets Widget) < 2.0 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect some of its actions against CSRF attacks, allowing an attacker to trick a logged in high privileged user to perform actions on their behalf by submitting a crafted request.

Affects Plugins

Plugin icon
custom-twitter-feeds
Fixed in 2.0

References

CVE
CVE-2022-33974

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
ed4ef1ab-dd2e-40ce-a86d-43fa1922df37

Timeline

Publicly Published
2023-05-25 (about 2 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2023-02-02
Title
PHP Execution <= 1.0.0 - Settings Update via CSRF
Published
2025-12-31
Title
iNext Woo Pincode Checker <= 2.3.1 - Cross-Site Request Forgery
Published
2022-01-12
Title
Quiz And Survey Master < 7.3.7 - CSRF
Published
2024-04-11
Title
Popup Box < 2.2.7 - Popup Deletion via CSRF
Published
2024-03-11
Title
LadiApp <= 4.4 - Cross-Site Request Forgery via ladiflow_save_hook()