BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV.

PoC

Go to Plugin’s Settings page, in “Tool” tab, import a CSV file with Betterlinks option. Put a simple XSS payload into “link_title” column in the csv file: title"> The XSS will be triggered when accessing Manage Links page. Example of malicious CSV: ID,link_author,link_date,link_date_gmt,link_title,link_slug,link_note,link_status,nofollow,sponsored,track_me,param_forwarding,param_struct,redirect_type,target_url,short_url,link_order,link_modified,link_modified_gmt,wildcards,expire,dynamic_redirect,tags,category 1,1,“2021-10-01 12:48:35”,“2021-10-01 12:48:35”,">,slug,note,publish,1,1,307,https://example.com/aaa,go/xss,0,“2021-10-01 12:48:35”,“2021-10-01 12:48:35”,0,uncategorized