WordPress Plugin Vulnerabilities

ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages < 2.4.2 - Reflected Cross-Site Scripting

Description

The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.4.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
clickwhale
Fixed in 2.4.2

References

CVE
CVE-2024-11327
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/96c5836f-6d33-4a56-b30b-5e5d95b81b6b

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
vgo0
Verified
No
WPVDB ID
f11b8c7b-04c0-4137-a2c3-478b40112530

Timeline

Publicly Published
2025-01-10 (about 1 year ago)
Added
2025-01-10 (about 1 year ago)
Last Updated
2025-01-11 (about 1 year ago)

Other

Published
Title
Published
2024-07-24
Title
Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Title
Published
2024-10-25
Title
PriPre <= 0.4.11 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2021-03-01
Title
WP GDPR Compliance < 1.5.6 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2024-07-04
Title
MakeCommerce for WooCommerce < 3.5.2 - Reflected Cross-Site Scripting
Published
2025-05-07
Title
RS WP Book Showcase <= 6.7.57 - Contributor+ Stored XSS