A missing authorization check in the WordPress Dashboard Tweeter plugin allows an attacker to modify the plugin’s settings without proper permission. Because the plugin does not enforce correct access control, a user with the ability to reach the settings page can change configuration values such as the source of Twitter content, authentication credentials, or other operational parameters. This could lead to unauthorized content manipulation, credential theft, or other unintended behaviors affecting the website’s Twitter integration.

The vulnerability exists in all releases of the wpseek WordPress Dashboard Tweeter plugin up to and including version 1.3.2. Any WordPress installation that has this plugin installed and has not been updated to a later version is potentially affected.

The CVSS score of 6.5 classifies the flaw as a medium severity vulnerability, and the EPSS score of less than 1% indicates a low likelihood of exploitation at present. However, the flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog, so there are no confirmed exploits yet. The likely attack vector is through the WordPress admin interface: an attacker who can access the plugin’s settings page—whether through a legitimate user account or by bypassing role restrictions—can perform unauthorized changes. The missing privilege check expands the attack surface to any user role that can reach the settings page, making the practical risk higher than the raw scores might suggest.