CVE-2014-2559

Twitget < 3.3.1 - Cross-Site Request Forgery via Plugin Options Change

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2559.

AI-analyzed exploit summary The exploit demonstrates a CSRF/XSS vulnerability in Twitget 3.3.1 by crafting a malicious form that updates plugin options without proper nonce validation, leading to stored XSS via unescaped output in the form.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that change unspecified plugin options via a request to wp-admin/options-general.php.

Exploits (1)

exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/32868

The exploit demonstrates a CSRF/XSS vulnerability in Twitget 3.3.1 by crafting a malicious form that updates plugin options without proper nonce validation, leading to stored XSS via unescaped output in the form.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Twitget WordPress plugin 3.3.1
Auth required
Prerequisites: Logged-in WordPress administrator · Victim visits crafted page
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Vendor Advisory x_refsource_confirm
http://wordpress.org/plugins/twitget/changelog
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/57892
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/92391
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Apr/172

Scores

EPSS 0.0328
EPSS Percentile 86.9%

Details

CWE
CWE-352
Status published
Products (1)
twitget_project/twitget < 3.3.1
Published Oct 17, 2014
Tracked Since Feb 18, 2026