CVE-2024-49685: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Smash Balloon Custom Twitter Feeds (Tweets Widget) WordPress plugin, affecting versions through 2.2.3. The vulnerability was reported on July 25, 2024, and publicly disclosed on October 21, 2024 (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on specific functions within the plugin. The severity of this vulnerability has been assessed with varying CVSS v3.1 scores: NIST rates it as HIGH with a base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack assigns it a MEDIUM severity with a score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L). The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing actions such as clicking on malicious links. This could potentially lead to unauthorized changes in the site's configuration (WPScan).

The vulnerability has been fixed in version 2.2.4 of the Custom Twitter Feeds plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).