WordPress Plugin Vulnerabilities

Broken Link Checker < 2.2.4 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Affects Plugins

Plugin icon
broken-link-checker
Fixed in 2.2.4

References

CVE
CVE-2024-25592
URL
https://patchstack.com/database/vulnerability/broken-link-checker/wordpress-broken-link-checker-plugin-2-2-3-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
a837bb5a-0270-49e5-806a-ab733f0e094a

Timeline

Publicly Published
2024-02-12 (about 2 years ago)
Added
2024-02-15 (about 2 years ago)
Last Updated
2024-02-15 (about 2 years ago)

Other

Published
Title
Published
2023-07-10
Title
Mail Control < 0.3.2 - Unauthenticated Stored XSS via Email Subject
Published
2014-08-01
Title
DZS Video Gallery - preview_skin_rouge.swf logoLink Parameter Reflected XSS
Published
2024-04-10
Title
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE < 2.6.9 - Contributor+ Stored Cross-Site Scripting via Block Attributes
Published
2023-10-26
Title
Animated Counters < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2014-08-01
Title
Social Hashtags 2.0.0 - New Post Title Field Stored XSS