This plugin contains a Full Path Disclosure vulnerability (CWE-200). This allows an attacker to discover the full path to the WordPress installation on the server, which they could use to assist in other attacks.
For this to happen, the site would have to have the ‘display_errors’ option set to true.
Current state: Fixed
Turn on display_errors
Request http://mydomain.com/wp-content/plugins/jm-twitter-cards/views/settings.php from a browser.
The following error message will be displayed:
Fatal error: Call to undefined function esc_html_e() in /path/to/installation/wp-content/plugins/jm-twitter-cards/views/settings.php on line 3
2015-07-30: Reported to vendor via contact form on http://www.tweetpress.fr/contact
2015-09-17: Vendor reported fixed
2015-10-12: Requested CVE
Upgrade to version 6.2 or later.
If this is not possible, ensure that display_errors is turned off on a site running this plugin.