CVE-2014-9336

Name of the Vulnerable Software and Affected Versions iTwitter plugin versions 0.04 and earlier

Description The issue allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks. This is achieved via the itex t twitter username or itex t twitter userpass parameter in the "iTwitter.php" page to "wp-admin/options-general.php".

Recommendations For iTwitter plugin versions 0.04 and earlier, consider disabling the plugin until a patch is available to prevent exploitation. Restrict access to the iTwitter.php page and the wp-admin/options-general.php endpoint to minimize the risk of cross-site request forgery (CSRF) attacks. Avoid using the itex t twitter username and itex t twitter userpass parameters in the affected endpoint until the issue is resolved.