Home » Tweet Wheel 0.3 Security Vulnerability

Tweet Wheel 0.3 Security Vulnerability

I was looking for a WordPress plugin that would add some Twitter functionality to my website last week. I ran across Tweet Wheel from Nerd Cow (awesome name BTW!)

I personally can’t use a plugin that I haven’t at least done a quick inspection on the code so I took a look and saw a minor AJAX issue. One that wouldn’t even stop me from using the code unfixed in this specific case, because nobody besides me has access to the site.

Props to Thomasz Lisiecki for taking security seriously and getting an updated version out right away, even on such a minor issue. Changelog posted here

tweetwheel-ajax

Fortunately, none of the actions are ‘nopriv’ so you at least require a valid WordPress user account to use the functionality.

tweetwheel-ajaxtweet

Of all of the actions, this was the worst and it is pretty minor. The result would just be spamming Twitter with the same tweets over and over. Without further access you can’t even adjust what the Tweet says.

Timeline

  • 3/1/2015 11:43am Initial disclosure email sent
  • 3/1/2015 11:46am Reply received
  • 3/4/2015 Plugin updated on wordpress.org