On September 8th, the web site Vexatious Tendencies disclosed publically a security flaw in the WP to Twitter “Tweet Now” functionality, introduced in version 2.9.0. The security flaw would allow unauthenticated users to post to the administrator’s Twitter account.
See WordPress plugin vulnerability dump, part 2 for more details about the vulnerability.
This is a severe vulnerability, and you should update as soon as possible. If you are still running a version of WP to Twitter older than 2.9.0, you are not affected by this issue.
The issue was disclosed publically without any private notification to me, so I was not aware of the issue until the team at WordFence (which is a fabulous security plug-in for WordPress, by the way) notified me of the issue this evening via Twitter. I apologize for my oversight that allowed this security vulnerability, and thank you WordFence for making me aware of this public disclosure.
Joe Dolson
; October 2, 2014 at 2:58 pmOr, alternatively, update it.
Matt
; September 25, 2014 at 12:53 pmOh dear, better disable this then!