Cross-Site Request Forgery in Custom Twitter Feeds Plugin for WordPress
CVE-2024-0379

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Custom Twitter Feeds – A Tweets Widget Or X Feed Widget
Vendor: CVE Published:; 29 February 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 18%

Summary

The Custom Twitter Feeds plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit Cross-Site Request Forgery (CSRF) due to inadequate nonce validation within the ctf_auto_save_tokens function. This flaw enables attackers to manipulate the site’s Twitter API tokens and secrets by tricking site administrators into executing unauthorized actions, such as clicking on malicious links. It is essential for users to be aware of this risk and implement measures to safeguard their WordPress installations.

Affected Version(s)

Custom Twitter Feeds – A Tweets Widget or X Feed Widget * <= 2.2.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-0379
Created by kodaichodai

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/custom-twitter...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

EPSS Score

18% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 11, 2024
👾
Exploit known to exist
Sep 11, 2024
Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Jan 9, 2024

Credit

Justin Gardner

Kodai Kubono