Reflected XSS Vulnerability in Broken Link Checker Plugin for WordPress
CVE-2019-16521

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Broken Link Checker
Vendor
CVE Published:
16 October 2019

Summary

The Broken Link Checker plugin for WordPress, specifically versions up to 1.11.8, is vulnerable to a reflected XSS attack. This vulnerability arises from improper encoding and the uncontrolled insertion of an HTTP GET parameter into the HTML of the broken links listing page. Attackers can exploit this weakness by injecting an XSS payload through the 's_filter' GET parameter in a 'filter_id=search' request, potentially allowing unauthorized script execution in a victim’s browser.

References

https://wordpress.org/plugins/broken-link-checker/#develo...
x_refsource_MISC
https://github.com/sbaresearch/advisories/tree/public/201...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2019/10/16/3
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.