CVE-2016-10986
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Licensing/Trademark Violation), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The tweet-wheel plugin before 1.0.3.3 for WordPress has XSS via consumer_key, consumer_secret, access_token, and access_token_secret.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/tweet-wheel plugindescription
- Range: <1.0.3.3
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization (escaping) of POST parameters before they are echoed into HTML input value attributes."
Attack vector
An attacker can inject arbitrary JavaScript by submitting crafted values for the consumer_key, consumer_secret, access_token, or access_token_secret parameters [ref_id=1]. The plugin's auth.php file echoes these POST values directly into the value attribute of HTML input fields without any sanitization or escaping [ref_id=1]. When the administrator visits the Tweet-wheel settings page, the injected script executes in their browser session, leading to stored/reflected cross-site scripting (XSS) [ref_id=1]. No authentication bypass or special network position is required beyond the ability to submit a form to the WordPress admin panel.
Affected code
The vulnerable code is in the file testfiles/tweet-wheel/includes/views/auth.php at lines 34, 40, 46, and 52 [ref_id=1]. Each line echoes an unsanitized POST parameter (consumer_key, consumer_secret, access_token, access_token_secret) directly into the value attribute of an HTML input element [ref_id=1].
What the fix does
The advisory states the fix is to update to version 1.0.4 [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve properly escaping the echoed POST values with WordPress's esc_attr() or similar output-escaping function before rendering them inside the HTML input value attributes. This prevents an attacker's JavaScript payload from being interpreted as active code by the browser.
Preconditions
- inputThe attacker must be able to submit POST data to the Tweet-wheel settings page (e.g., via a crafted form submission or direct HTTP request).
- authAn administrator must visit the Tweet-wheel settings page in the WordPress admin panel after the malicious values have been submitted.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- 0x62626262.wordpress.com/2016/04/21/tweet-wheel-xss-vulnerability/mitrex_refsource_MISC
- wordpress.org/plugins/tweet-wheel/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/8464mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.