Custom Twitter Feeds Vulnerability – A Tweets Widget or X Feed Widget – Cross-Site Request Forgery to Plugin Options Update – CVE-2024-0379 | WordPress Plugin Vulnerability Report
Plugin Name: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Key Information:
- Software Type: Plugin
- Software Slug: custom-twitter-feeds
- Software Status: Active
- Software Author: smashballoon
- Software Downloads: 2,300,603
- Active Installs: 100,000
- Last Updated: February 13, 2024
- Patched Versions: 2.2.2
- Affected Versions: <= 2.2.1
Vulnerability Details:
- Name: Custom Twitter Feeds <= 2.2.1
- Title: Cross-Site Request Forgery to Plugin Options Update
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CVE: CVE-2024-0379
- CVSS Score: 4.3
- Publicly Published: February 6, 2024
- Researcher: Rhynorater - Critical Thinking Podcast kodaichodai
- Description: The Custom Twitter Feeds plugin, a popular tool for integrating Twitter content into WordPress sites, has been identified with a vulnerability that allows for Cross-Site Request Forgery (CSRF) in versions up to 2.2.1. This vulnerability stems from inadequate nonce validation within the plugin's function for auto-saving Twitter API tokens, potentially allowing unauthenticated attackers to manipulate the plugin's settings if they can deceive an administrator into clicking a malicious link.
Summary:
The Custom Twitter Feeds plugin, essential for displaying Twitter content on WordPress sites, has been compromised by a CSRF vulnerability in versions up to 2.2.1. This flaw, addressed in the recent update to version 2.2.2, highlighted the critical need for stringent security measures in plugin development, particularly in functions handling sensitive information like API tokens.
Detailed Overview:
Discovered by researcher Rhynorater from the Critical Thinking Podcast, this vulnerability underscores the risks associated with insufficient security checks in plugins. By exploiting the vulnerability, attackers could potentially alter the site's Twitter API token and secret through a forged request, leading to unauthorized changes in the plugin's settings. The resolution of this issue in version 2.2.2 underscores the importance of immediate and proactive responses to security threats.
Advice for Users:
- Immediate Action: Users of the Custom Twitter Feeds plugin are advised to update to the latest version, 2.2.2, immediately to mitigate the risk posed by the CSRF vulnerability.
- Check for Signs of Vulnerability: Site administrators should review plugin settings to ensure no unauthorized changes have been made, especially concerning Twitter API tokens and secrets.
- Alternate Plugins: While the patched version addresses this vulnerability, exploring alternative Twitter feed plugins can provide additional functionality and potentially enhance site security.
- Stay Updated: Regular updates of all WordPress components are essential to protect against known vulnerabilities and maintain a secure online presence.
Conclusion:
The prompt patching of the CSRF vulnerability in the Custom Twitter Feeds plugin serves as a crucial reminder of the importance of maintaining up-to-date software within the WordPress ecosystem. For WordPress site owners, particularly those with limited time for technical maintenance, understanding the significance of regular plugin updates is paramount in safeguarding their sites from potential threats. This incident highlights the collective responsibility of developers, researchers, and users in maintaining a secure and trustworthy digital environment.
References:
- Wordfence Vulnerability Report on Custom Twitter Feeds 2.2.1
- Wordfence Vulnerability Overview for Custom Twitter Feeds