Recently we wrote a post, Don’t Expect That Someone Else Has Checked The Security of the WordPress Plugins You Use, about the fact that you can’t expect that others have checked the security of the plugins you use. That obviously applies to us as well as everyone else, so we are taking a closer look at the plugin we use and spotted one minor security issue so far. That issue was a cross-site request forgery vulnerability (CSRF) vulnerability that was in Wp to Twitter’s function for saving it’s options.

The vulnerability would have allowed an attacker who could get a logged in Administrator level user to visit a page they control to change the plugin’s settings. This type of vulnerability isn’t something we see attempts to exploit in general and when it can’t be combined with something more serious like a cross-site scripting (XSS) it would be little more than a nuisance if exploited. In this case the plugin’s settings seemed to be hardened against cross-site scripting. [Read more]