Vulnerabilities and security researches fortwittee-text-tweet twittee-text-tweet

Apr 23, 2026

CVE, Research URL: CVE-2026-4089
Home page URL: Security reports for Twittee Text Tweet
Application: Twittee Text Tweet
Date: Apr 22, 2026
Research Description: The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_tweeter() function uses extract() to pull shortcode attributes into local variables and then directly concatenates them into HTML output without any escaping. Specifically, the $id parameter is inserted into an HTML id attribute context without esc_attr(), allowing an attacker to break out of the attribute and inject arbitrary HTML event handlers. Additionally, the $tweet, $content, $balloon, and $theme attributes are similarly injected into inline JavaScript without escaping (lines 87, 93, 101, 117). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.0.8.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-0602
Home page URL: Security reports for Twittee Text Tweet
Application: Twittee Text Tweet
Date: Jul 31, 2023
Research Description: The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.
Affected versions: max 1.0.8.
Status: vulnerable