CVE-2014-2995

twitget < 3.3.1 - Authenticated Cross-Site Scripting via twitget_consumer_key Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2995. PoCs published by Tom Adams.

AI-analyzed exploit summary This PoC demonstrates a CSRF/XSS vulnerability in Twitget 3.3.1. It exploits the lack of nonce-checking and unescaped output in the plugin's options form, allowing an attacker to inject malicious scripts via a crafted form submission.

Description

Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors, as demonstrated by the twitget_consumer_key parameter to wp-admin/options-general.php.

Exploits (1)

exploitdb WORKING POC
by Tom Adams · textwebappsphp
https://www.exploit-db.com/exploits/32868

This PoC demonstrates a CSRF/XSS vulnerability in Twitget 3.3.1. It exploits the lack of nonce-checking and unescaped output in the plugin's options form, allowing an attacker to inject malicious scripts via a crafted form submission.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Twitget 3.3.1
Auth required
Prerequisites: Logged-in administrator session · Victim visits a crafted page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory x_refsource_confirm
http://wordpress.org/plugins/twitget/changelog
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/92392
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Apr/172

Scores

EPSS 0.0358
EPSS Percentile 87.9%

Details

CWE
CWE-79
Status published
Products (1)
twitget_project/twitget < 3.3.1
Published Oct 17, 2014
Tracked Since Feb 18, 2026