CVE-2024-38344

WP Tweet Walls versions prior to 1.0.4 are vulnerable to cross-site request forgery (CSRF). The plugin fails to validate or include a proper nonce token in sensitive requests, allowing an attacker to forge requests on behalf of an authenticated user [1].

To exploit this vulnerability, an attacker must trick a logged-in WordPress administrator into visiting a malicious page or link. No prior authentication or network access is required; the attacker only needs to craft a crafted request that appears legitimate to the user's browser [1].

If successfully exploited, the attacker can perform unintended actions on the WordPress site with the victim's privileges. This could include modifying settings, creating or deleting content, or other administrative actions, though the CVSS v3 vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) indicates a low impact on integrity with no effect on confidentiality or availability [1].

The vulnerability is fixed in version 1.0.4 of WP Tweet Walls. However, as of December 2025, the plugin has been closed on the WordPress plugin directory and is no longer available for download [2]. Users who cannot update should consider disabling or removing the plugin and migrating to an alternative solution.