CVE-2026-4089

Name of the Vulnerable Software and Affected Versions Twittee Text Tweet versions prior to 1.0.9

Description Insufficient input sanitization and output escaping in the ttt twittee tweeter() function allow authenticated attackers with Contributor-level access and above to inject arbitrary web scripts. The function uses extract() to pull shortcode attributes into local variables and concatenates them into HTML output without escaping. Specifically, the id parameter is inserted into an HTML id attribute context without proper attribute escaping, enabling the injection of arbitrary HTML event handlers. Furthermore, the tweet, content, balloon, and theme attributes are injected into inline JavaScript without escaping.

Recommendations Update to a version newer than 1.0.8.