Unsanitised input is passed into a class in WP_OAuth.php and saved as $this->parameters, which is then passed into a large number of complex code paths, which it was not possible properly examine during this inspection. The whole of $_POST is passed in in this way and then saved, unexamined, into the class.

It feels likely that it would be possible to craft requests that would result in unexpected input being passed into Twitter’s oauth process. However, such requests would probably have to relate to the OAuth process, which will not be used frequently. Nonetheless, care should probably be taken.

Otherwise, this plugin seems well-written and safe for use.

This plugin should be code reviewed if it is a candidate for use on a plugin where breaking the OAuth process is a notable risk.

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

There is potential for an attacker to influence the OAuth process when connecting this plugin to Twitter. Users should exercise caution when authorising this plugin with Twitter, and should be vigilant if asked to repeat this process when it was not expected.