: Unauthenticated Attackers Can Inject Arbitrary Web Scripts in Broken Link Checker Plugin for WordPress
CVE-2024-8981

7.1HIGH

Key Information:

Vendor: WPmudev
Status: Broken Link Checker
Vendor: CVE Published:; 1 October 2024

Summary

The Broken Link Checker plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate escaping of URLs in the add_query_arg function. This vulnerability exists in all versions prior to and including 2.4.0. Attackers can exploit this flaw to inject arbitrary web scripts into web pages that may be executed if they successfully manipulate a user into clicking on a malicious link. Such exploitation can lead to unauthorized actions on behalf of the user and potential compromise of site integrity.

Affected Version(s)

Broken Link Checker * <= 2.4.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3159860/brok...

https://plugins.trac.wordpress.org/browser/broken-link-ch...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 1, 2024
Vulnerability Reserved
Sep 18, 2024

Collectors

NVD DatabaseMitre Database

Credit

Dale Mavers