Broken Link Checker < 2.4.2 – Admin+ SSRF | CVE 2024-10903 | Plugin Vulnerabilities

Description

The plugin does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation.

Proof of Concept

1. Add a link to a post. Save and publish it.
2. Visit `/wp-admin/admin.php?page=blc_local&filter_id=all`.
3. Find the URL that was added to the post and click "Edit URL".
4. Change the URL to `http://localhost:8000` and click Update.
5. Start a web service on the same server as the WordPress site, e.g. `python3 -m http.server`
6. On the WordPress site, click on "Recheck" for the added URL. You should see a request come into the local web service.

Affects Plugins

broken-link-checker

Fixed in 2.4.2

References

CVE

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Carlos Flores

Submitter

Carlos Flores

Submitter website

https://www.asperis.es

Verified

Yes

WPVDB ID

39027390-ce01-4dd5-a979-426785aa7acb

Timeline

Publicly Published

2024-12-05 (about 1 year ago)

Added

2024-12-05 (about 1 year ago)

Last Updated

2024-12-05 (about 1 year ago)

Other

Published

Title

Published

2025-01-21

Title

AI Power: Complete AI Pack < 1.8.97 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2025-07-10

Title

Ultimate Video Player WordPress & WooCommerce Plugin <= 10.1 - Unauthenticated Server-Side Request Forgery

Published

2024-04-29

Title

Google Doc Embedder <= 2.6.4 - Authenticated (Contributor+) Blind Server Side Request Forgery

Published

2024-03-20

Title

Avada < 7.11.7 - Authenticated (Contributor+) Server-Side Request Forgery via form_to_url_action

Published

2021-09-21

Title

Telefication <= 1.8.0 - Open Relay & Server-Side Request Forgery