Plugin inspection:

JM Twitter Cards

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 6.0 of this plugin, but the most recent version is 11.1.1. These findings may no longer be correct.

Findings

This plugin contains a full path disclosure vulnerability: in certain configurations accessing a certain url will reveal the location of the WordPress installation on the server.

Text settings (e.g. Creator) are not escaped when output as meta tags. Fields are sanitised when filled in manually, but not when uploaded in a json settings file, so it’s possible to execute JavaScript through the meta tags. The upload is nonce-protected so this is not realistically exploitable.

Includes the source code of a metaboxes library – including test and configuration files – this does not seem to be unsafe or used unsafely: https://github.com/WebDevStudios/Custom-Metaboxes-and-Fields-for-WordPress

Reason for the 'Use with caution' result

The plugin has been given this recommendation at the tester's discretion:

This plugin contains a full path disclosure vulnerability if display_errors is switched on.

Failure criteria

  • Lack of proper output escaping

Read more about our failure criteria.