WP-Safety

XPoster – Share to Bluesky and Mastodon Security & Risk Analysis

wordpress.org/plugins/wp-to-twitter

Posts to Bluesky, Mastodon or X when you update your WordPress blog or add a link, with your chosen URL shortening service.

10K active installs v5.0.6 PHP 7.4+ WP 6.4+ Updated Feb 22, 2026
blueskymastodonpostsharingsocial
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 25, 2019
Plugin page Download
Safety Verdict

Is XPoster – Share to Bluesky and Mastodon Safe to Use in 2026?

Generally Safe

Score 99/100

XPoster – Share to Bluesky and Mastodon has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 25, 2019Updated 1mo ago
Risk Assessment

The "wp-to-twitter" plugin v5.0.6 exhibits a generally strong security posture with many good practices in place. The code analysis reveals a robust implementation of prepared statements for SQL queries, a high percentage of properly escaped output, and a comprehensive use of nonce and capability checks. The attack surface is limited to a single AJAX handler, which importantly, appears to have an authentication check. Taint analysis did not reveal any critical or high severity flows, suggesting that user input is generally handled safely. However, the presence of the "unserialize" function is a potential concern as it can lead to deserialization vulnerabilities if used with untrusted input. The plugin's vulnerability history, while showing only one high severity CVE, indicates a past issue that warrants attention, even though it is currently patched. The single CVE being "Missing Authorization" highlights a historical area of weakness. Overall, the plugin demonstrates a good commitment to security, but the "unserialize" function and the historical vulnerability type suggest areas for continued vigilance.

Key Concerns

  • Dangerous function unserialize found
  • One high severity CVE in history
Vulnerabilities
1

XPoster – Share to Bluesky and Mastodon Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-wp-to-twitterhigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 3.3.0 (1793d)
Code Analysis
Analyzed Mar 16, 2026

XPoster – Share to Bluesky and Mastodon Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
35
475 escaped
Nonce Checks
14
Capability Checks
21
File Operations
2
External Requests
8
Bundled Libraries
1

Dangerous Functions Found

unserializereturn unserialize( file_get_contents( $file ) );classes\class-wpt-normalizer.php:353

Bundled Libraries

Guzzle

Output Escaping

93% escaped510 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

13 flows4 with unsanitized paths
wpt_update_bluesky_settings (services\bluesky\settings.php:18)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

XPoster – Share to Bluesky and Mastodon Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_wpt_post_updateincludes\ajax.php:12
WordPress Hooks 28
actionadmin_menuincludes\metabox.php:28
filterwpt_settingswp-to-twitter-manager.php:1152
filterwptt_shorten_linkwp-to-twitter-shorteners.php:18
actionadmin_noticeswp-to-twitter.php:145
actionbulk_edit_postswp-to-twitter.php:772
actionadmin_menuwp-to-twitter.php:986
actionadmin_enqueue_scriptswp-to-twitter.php:1000
actioninitwp-to-twitter.php:1170
actionadmin_menuwp-to-twitter.php:1181
actionadmin_headwp-to-twitter.php:1191
filterplugin_action_linkswp-to-twitter.php:1233
actionadd_linkwp-to-twitter.php:1236
actionwp_after_insert_postwp-to-twitter.php:1245
actionwp_after_insert_postwp-to-twitter.php:1246
actionsave_postwp-to-twitter.php:1248
actionsave_postwp-to-twitter.php:1249
actionfuture_to_publishwp-to-twitter.php:1305
actionxmlrpc_publish_postwp-to-twitter.php:1362
actionpublish_phonewp-to-twitter.php:1363
actionadmin_noticeswp-to-twitter.php:1426
actionadmin_noticeswp-to-twitter.php:1442
actioncurrent_screenwp-to-twitter.php:1519
actionadmin_noticeswp-to-twitter.php:1573
actiondp_duplicate_postwpt-functions.php:995
actiondp_duplicate_pagewpt-functions.php:996
actionwptratelimitswpt-rate-limiting.php:16
actioninitwpt-rate-limiting.php:136
filterwpt_tweet_sentencewpt-truncate.php:50

Scheduled Events 3

wpt_schedule_tweet_action
wptratelimits
wptratelimits
Maintenance & Trust

XPoster – Share to Bluesky and Mastodon Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 22, 2026
PHP min version7.4
Downloads4.1M

Community Trust

Rating76/100
Number of ratings68
Active installs10K
Alternatives

XPoster – Share to Bluesky and Mastodon Alternatives

NextScripts: Social Networks Auto-Poster

NextScripts: Social Networks Auto-Poster

social-networks-auto-poster-facebook-twitter-g

D
40

Automatically publishes blogposts to profiles/pages/groups on Twitter, Google+, Pinterest, LinkedIn, Blogger, Tumblr ... 22 more

30K 2 unpatched
Revive Social – Social Media Auto Post and Scheduling Automation Plugin

Revive Social – Social Media Auto Post and Scheduling Automation Plugin

tweet-old-post

A
95

Automatically share your WordPress posts on multiple social networks like Facebook, X (Twitter), LinkedIn, Instagram and more.

20K 3 CVEs
SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher

SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher

wp-scheduled-posts

A
98

Automate your WordPress content scheduling with a visual calendar, auto/manual schedulers, missed‑post handler, social sharing options & templates.

10K 3 CVEs
Genesis Club Lite

Genesis Club Lite

genesis-club-lite

C
63

Mobile Responsive Logos, Hamburger Menus, Animated Top Bars, FAQ Accordions, User Signatures, Google Calendars and much more for Genesis sites

900 1 unpatched
Mastodon Autopost

Mastodon Autopost

autopost-to-mastodon

A
85

A Wordpress Plugin that automatically posts your new articles to Mastodon. The best: It is set and forget!

800 No CVEs
Developer Profile

XPoster – Share to Bluesky and Mastodon Developer Profile

Joe Dolson

6 plugins · 96K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
884 days
View full developer profile
Detection Fingerprints

How We Detect XPoster – Share to Bluesky and Mastodon

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-to-twitter/css/wtt-admin.css/wp-content/plugins/wp-to-twitter/css/wtt-public.css/wp-content/plugins/wp-to-twitter/js/wtt-admin.js/wp-content/plugins/wp-to-twitter/js/wtt-public.js
Generator Patterns
XPoster
Script Paths
/wp-content/plugins/wp-to-twitter/js/wtt-public.js
Version Parameters
wp-to-twitter/css/wtt-admin.css?ver=wp-to-twitter/css/wtt-public.css?ver=wp-to-twitter/js/wtt-admin.js?ver=wp-to-twitter/js/wtt-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
wtt-messagewtt-postedwtt-error
HTML Comments
<!-- XPoster --><!-- XPoster - Share to Bluesky and Mastodon -->
Data Attributes
data-wtt-postiddata-wtt-servicedata-wtt-tweetid
JS Globals
wtt_ajax_object
FAQ

Frequently Asked Questions about XPoster – Share to Bluesky and Mastodon