WordPress Plugin Vulnerabilities

Broken Link Checker <= 1.11.8 - Authenticated Cross-Site Scripting (XSS)

Description

The Broken Link Checker WordPress plugin was affected by an Authenticated Cross-Site Scripting (XSS) security vulnerability.

Affects Plugins

Plugin icon
broken-link-checker
Fixed in 1.11.9

References

CVE
CVE-2019-17207
CVE
CVE-2019-16521
URL
https://packetstormsecurity.com/files/#154875/
URL
https://seclists.org/fulldisclosure/2019/Oct/31
URL
https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190913-02_WordPress_Plugin_Broken_Link_Checker
URL
https://plugins.trac.wordpress.org/changeset/2186570/broken-link-checker

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Tobias Fink (SBA Research)
Verified
No
WPVDB ID
1842e330-3148-4d4b-af8c-6330515ef680

Timeline

Publicly Published
2019-10-15 (about 6 years ago)
Added
2019-10-16 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-08-26
Title
Lazy Load for Videos < 2.18.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-video-title and href Attributes
Published
2024-08-06
Title
Z-Downloads < 1.11.7 - Admin+ Stored XSS via SVG Upload
Published
2022-12-06
Title
WordPress Filter Gallery Plugin < 0.1.6 - Admin+ Stored XSS
Published
2019-03-11
Title
Abandoned Cart Lite for WooCommerce < 5.2.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2026-01-23
Title
Postalicious <= 3.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings