Cross Site Scripting in wp-noexternallinks Plugin for WordPress
CVE-2017-15863

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WP No External Links
Vendor: CVE Published:; 24 October 2017

Summary

A Cross Site Scripting (XSS) vulnerability is present in the wp-noexternallinks plugin for WordPress versions prior to 3.5.19. This weakness allows attackers to exploit the plugin through a crafted request containing malicious parameters in the date1 or date2 fields, specifically targeting the wp-admin/options-general.php page. Successful exploitation could lead to unauthorized actions performed on behalf of legitimate users, thereby compromising the security and integrity of the site.

References

http://lists.openwall.net/full-disclosure/2017/06/02/3

x_refsource_MISC

https://wordpress.org/plugins/wp-noexternallinks/#developers

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Oct 24, 2017