Description

WordPress Plugin Floating Tweets is prone to multiple vulnerabilities, including cross-site scripting and directory traversal vulnerabilities. Exploiting these issues may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, allowing the attacker to steal cookie-based authentication credentials and launch other attacks or to obtain sensitive information that could aid in further attacks. WordPress Plugin Floating Tweets version 1.0.1 is vulnerable; prior versions may also be affected.

Remediation

Edit the source code to ensure that input is properly sanitised and verified or disable the plugin until a fix is available

References

http://websecurity.com.ua/6023/

http://packetstormsecurity.com/files/119499/WordPress-Floating-Tweets-1.0.1-XSS-Directory-Traversal.html

Related Vulnerabilities

MediaWiki CVE-2019-12473 Vulnerability (CVE-2019-12473)

WordPress Plugin Web Application Firewall-website security Unspecified Vulnerability (2.1.2)

WordPress Plugin miniOrange's Google Authenticator-WordPress Two Factor Authentication (2FA, MFA, OTP SMS and Email)-Passwordless login Cross-Site Scripting (5.4.39)

WordPress Plugin Video Lead Form 'errMsg' Parameter Cross-Site Scripting (0.5)

WordPress Plugin Events Manager Multiple Cross-Site Scripting Vulnerabilities (5.3.3)

Severity

High

Classification

CWE-22 CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update