Broken Link Checker < 2.4.1 – Reflected XSS | CVE 2024-8981 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg in /app/admin-notices/features/class-view.php without appropriate escaping on the URL. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

broken-link-checker

Fixed in 2.4.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/429fe34a-5fa9-4032-9b21-4de114dbc9d1

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

vgo0

Verified

Yes

WPVDB ID

092db6f0-8559-45ec-a0be-85743bf866a5

Timeline

Publicly Published

2024-09-30 (about 1 year ago)

Added

2024-09-30 (about 1 year ago)

Last Updated

2024-09-30 (about 1 year ago)

Other

Published

Title

Published

2024-02-05

Title

Wonder Slider Lite < 14.0 - Reflected Cross-Site Scripting via 'page'

Published

2021-06-07

Title

Recently < 3.0.5 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-10-30

Title

Alley Elementor Widget <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-08-31

Title

Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF

Published

2025-03-27

Title

Primer MyData for Woocommerce < 4.2.4 - Reflected Cross-Site Scripting