Plugin inspection:

WP to Twitter

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 2.6.9 of this plugin, but the most recent version is 3.4.10. These findings may no longer be correct.

Findings

Unsanitised input is passed into a class in WP_OAuth.php and saved as $this->parameters, which is then passed into a large number of complex code paths, which it was not possible properly examine during this inspection. The whole of $_POST is passed in in this way and then saved, unexamined, into the class.

It feels likely that it would be possible to craft requests that would result in unexpected input being passed into Twitter’s oauth process. However, such requests would probably have to relate to the OAuth process, which will not be used frequently. Nonetheless, care should probably be taken.

Otherwise, this plugin seems well-written and safe for use.

This plugin should be code reviewed if it is a candidate for use on a plugin where breaking the OAuth process is a notable risk.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

There is potential for an attacker to influence the OAuth process when connecting this plugin to Twitter. Users should exercise caution when authorising this plugin with Twitter, and should be vigilant if asked to repeat this process when it was not expected.

 

Failure criteria

  • Lack of input sanitisation
  • Very large codebase

Read more about our failure criteria.