One of the changelog entries for the latest version of Customize Feeds for Twitter is “Some security issue fixed”. In looking at the changes made in that version to see if there was a vulnerability being fixed that we should adding to the data set our service, it looked like the code being changed might still be vulnerable and a quick check of things confirmed that. The plugin has been closed on the Plugin Directory since August 8, so it is possible that that the security change was made in response to team behind that, but they missed the vulnerability here.

The plugin’s admin page is registered to be accessible those logged in as Administrators: [Read more]