The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_tweeter() function uses extract() to pull shortcode attributes into local variables and then directly concatenates them into HTML output without any escaping. Specifically, the $id parameter is inserted into an HTML id attribute context without esc_attr(), allowing an attacker to break out of the attribute and inject arbitrary HTML event handlers. Additionally, the $tweet, $content, $balloon, and $theme attributes are similarly injected into inline JavaScript without escaping (lines 87, 93, 101, 117). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Twittee Text Tweet WordPress plugin versions up to 1.0.8 contains stored XSS vulnerabilities in shortcode attributes due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor access can inject arbitrary HTML and JavaScript through the 'id', 'tweet', 'content', 'balloon', and 'theme' shortcode parameters.
يحتوي مكون Twittee Text Tweet للووردبريس على ثغرات XSS مخزنة في جميع الإصدارات حتى 1.0.8 بسبب عدم كفاية تنظيف المدخلات والهروب من المخرجات. تستخدم الدالة ttt_twittee_tweeter() extract() لسحب خصائص shortcode ثم تدمجها مباشرة في مخرجات HTML دون أي هروب، مما يسمح للمهاجمين بحقن معالجات أحداث HTML وكود JavaScript عشوائي.
The Twittee Text Tweet WordPress plugin versions up to 1.0.8 contains stored XSS vulnerabilities in shortcode attributes due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor access can inject arbitrary HTML and JavaScript through the 'id', 'tweet', 'content', 'balloon', and 'theme' shortcode parameters.
Update the Twittee Text Tweet plugin to version 1.0.9 or later immediately. Implement proper input sanitization using sanitize_text_field() and output escaping using esc_attr() for HTML attributes and wp_json_encode() for JavaScript contexts. Restrict shortcode usage to trusted administrators only and audit all existing posts containing the plugin for malicious content.
قم بتحديث مكون Twittee Text Tweet إلى الإصدار 1.0.9 أو أحدث فوراً. طبق تنظيف المدخلات الصحيح باستخدام sanitize_text_field() والهروب من المخرجات باستخدام esc_attr() لخصائص HTML و wp_json_encode() لسياقات JavaScript. قيد استخدام shortcode للمسؤولين الموثوقين فقط وتدقيق جميع المنشورات الموجودة التي تحتوي على المكون بحثاً عن محتوى ضار.