WordPress - WP Social Ninja exposed API Key

WordPress - WP Social Ninja exposed API Key Joshua Martinelle Thu, 09/04/2025 - 08:43 WP Social Media is a WordPress plugin that allows to integrate social media feeds such as Instagram Feed, Facebook Feed, social reviews such as Google Reviews, WooCommerce Reviews Pro, and chat widgets such as...

CVE-2024-0379

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctfautosavetokens function. This makes it possible for...

MAL-2025-3922 Malicious code in twitter-api-v1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e845c35069d8dc1f87dbd947c508662a7462d951bfd0ccd915be80cb99502a96 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in twitter-api-v1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e845c35069d8dc1f87dbd947c508662a7462d951bfd0ccd915be80cb99502a96 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2024-0379

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctfautosavetokens function. This makes it possible for...

CVE-2024-0379

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctfautosavetokens function. This makes it possible for...

Cross site request forgery (csrf)

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctfautosavetokens function. This makes it possible for...

CVE-2024-0379 Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 - Cross-Site Request Forgery to Plugin Options Update

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctfautosavetokens function. This makes it possible for...

Hard Coded Credentials

Microweber is vulnerable to the use of Hard Coded Credentials. The vulnerability is due to the hard coding of oauth access token values in the twitterfeedperformapirequest function in userfiles/modules/twitterfeed/functions.php which is required to access twitter API's. This may lead to sensitive...

Secret information exfiltration by hard coding twitter API keys

Description Secret information used for API calls was embedded in the microweber source code. PoC It's hardcoded in the source code below. - https://github.com/microweber/microweber/blob/master/userfiles/modules/twitterfeed/functions.php php $oauthaccesstoken =...

Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services AWS credentials, posing a major security risk. "Over three-quarters 77% of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter...

Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

Researchers have uncovered a list of 3,207 mobile apps that are exposing Twitter API keys in the clear, some of which can be utilized to gain unauthorized access to Twitter accounts associated with them. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secre...

Latest Tweets Widget <= 1.1.4 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...

Reddit: hardcoded api secret & api key in com.reddit.frontpage

hi security team, in file Resources/Resources.arsc/res/values/strings.xml i have found ███ ███ It shouldn't be disclosed to third parties it meant for deveoplers as per https://developer.twitter.com/en/docs/authentication/oauth-2-0/bearer-tokens poc:- curl --user "██████:███" --data...

X (Formerly Twitter): Github Account hijack through broken link in developer.twitter.com

Description A link in https://developer.twitter.com/en/docs/twitter-api/tools-and-libraries was broken and anyone could create that account which leads to account impersonate Steps To Reproduce 1 Visit https://developer.twitter.com/en/docs/twitter-api/tools-and-libraries 2 Scroll down to...

TwitWork - Monitor Twitter Stream

Monitor twitter stream. TwitWork use the twitter stream which allows you to have a tweets in real-time. There is an input that allows you to filter the flow on one or more keywords or on an @ based on twitter tracking Demo This is a demo of export data on keyword "Coronavirius"...

Hackers Exploited Twitter Bug to Find Linked Phone Numbers of Users

Twitter today issued a warning revealing that attackers abused a legitimate functionality on its platform to unauthorizedly determine phone numbers associated with millions of its users' accounts. According to Twitter, the vulnerability resided in one of the APIs that has been designed to make it...

EXIST - Web Application For Aggregating And Analyzing Cyber Threat Intelligence

EXIST is a web application for aggregating and analyzing CTI cyber threat intelligence. EXIST is written by the following software. Python 3.5.4 Django 1.11.22 Concept EXIST is a web application for aggregating CTI to help security operators investigate incidents based on related indicators. EXIS...

Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks

Researchers are warning that an old Twitter API still used by popular iOS mobile apps that could be abused as part of a man-in-the-middle attack. It could be used to hijack Twitter accounts and compromise other third-party apps that are linked to the same “login with Twitter” feature. According t...

X (Formerly Twitter): Unauthorized Access to Protected Tweets via niche.co API

Hello, Summary: Normally If user victim set to private / protect their tweets in setting Tweet privacy, other people/user will not able to see their recent or their pass status/twits when they visit his/her victim profile. people only can see their victim profile images and information about how...