CVE-2021-38322: 
WordPress vulnerability analysis and mitigation

The Twitter Friends Widget WordPress plugin (versions up to and including 3.1) was identified with a Reflected Cross-Site Scripting vulnerability, tracked as CVE-2021-38322. The vulnerability was discovered by researcher p7e4 and publicly disclosed on September 8, 2021. The security flaw exists in the ~/twitter-friends-widget.php file, specifically affecting the pmcTFuser and pmcTFpassword parameters (NVD, Wordfence).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impacts on confidentiality and integrity, and no impact on availability (NVD).

The vulnerability allows attackers to inject arbitrary web scripts through the pmcTFuser and pmcTFpassword parameters. When successfully exploited, this could lead to the execution of malicious scripts in users' browsers, potentially compromising user data or session information (NVD).

As of the latest reports, no patch has been released to address this vulnerability. Users of the Twitter Friends Widget WordPress plugin should consider removing or disabling the plugin until a security update is available (Wordfence).