WordPress Plugin Vulnerabilities

Back Link Tracker <= 1.0.0 - Cross-Site Request Forgery to SQL Injection

Description

The Back Link Tracker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to inject malicious SQL used in a query granted they can trick a site administrator into performing an action such as clicking on a link. Due to their inability to obtain a query response, the exploitation opportunities are limited.

Affects Plugins

Plugin icon
back-link-tracker
No known fix

References

CVE
CVE-2024-49617
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/71a45cd8-4852-4e34-9536-f865e0762b7a

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
João Pedro Soares de Alcântara
Verified
No
WPVDB ID
f7273ac3-ceeb-43a7-973b-d8a3a95357a8

Timeline

Publicly Published
2024-10-18 (about 1 year ago)
Added
2024-10-22 (about 1 year ago)
Last Updated
2024-10-22 (about 1 year ago)

Other

Published
Title
Published
2015-06-17
Title
WP-Stats < 2.52 - CSRF to Stored Cross-Site Scripting (XSS)
Published
2026-01-06
Title
xShare <= 1.0.1 - Cross-Site Request Forgery to 'rs_plugin_reset' Parameter
Published
2023-10-03
Title
AI Content Writing Assistant < 1.1.7 - CSRF
Published
2023-11-08
Title
Korea SNS < 1.6.5 - Settings Update via CSRF
Published
2025-06-19
Title
ClipLink <= 1.1 - Cross-Site Request Forgery