You haven’t provided any detail, or made any attempt to contact me privately. There are two instances of add_query_arg used in WP to Twitter that are not escaped; but they are *not* vulnerable. That function is only vulnerable if it’s using the two argument form of the function; in it’s three argument form, all data passed to the function is defined, and this is probably what you’re seeing.
However, if you still believe you have found a security vulnerability, please contact me privately. Irresponsible disclosure does not help anybody.
[email protected]
Also please read https://make.ww.wp.xz.cn/plugins/2015/05/04/reporting-plugin-issues/ 🙂
If for any reason you cannot get a hold of the plugin devs privately, PLEASE contact plugins AT ww.wp.xz.cn 🙂 We want to hear from you.
