The Twitter posts to Blog plugin for WordPress contains a missing capability check in its 'dg_tw_options' function. As a result, anyone who can reach the plugin’s admin page can modify its configuration data without authentication. The exploitable settings include Twitter API credentials, default post author, post status and the required capability to open the plugin’s admin menu. An attacker who succeeds can create posts that appear to come from legitimate accounts, change the author to that of an authorized user, or provoke the plugin to post malicious content to the blog. Because the settings are stored in the database, this vulnerability endangers confidentiality, integrity, and availability of posts and credentials.

The vulnerability affects all releases of the badbreze Twitter posts to Blog WordPress plugin up to and including version 1.11.25. The affected product is the WordPress plugin “Twitter posts to Blog” provided by the vendor badbreze. No specific operating system or WordPress core version is required; the flaw exists solely inside the plugin code.

The CVSS vector indicates a moderate severity (score 6.5). The EPSS score of less than 1 % suggests that exploitation is unlikely at the current time, and the flaw is not listed in the CISA KEV catalog. Nevertheless, the lack of an authorization check means that the exploit can be performed over the web by harvesting the plugin’s URL or by sending a crafted POST request. No authentication is required, so any user that can access the WordPress site could, in theory, apply the change. The potential for defacement or credential theft—particularly if the attacker injects compromised Twitter API keys—makes the risk significant for sites that rely on the plugin for automated posting.