Lucene search
Jihoon Lee (AhnLab)WPVDB-ID:78054BD7-CDC2-4B14-9B5C-30F10E802D6BHistoryNov 11, 2022 - 12:00 a.m.
Broken Link Checker < 1.11.20 - Admin+ Cross-Site Scripting
2022-11-1100:00:00
Jihoon Lee (AhnLab)
wpscan.com
9
xss
vulnerability
admin access
stored cross-site scripting
youtube api
0.001 Low
EPSS
Percentile
23.5%
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PoC
Put the following payload in the Youtube API Key settings and save: test">. The XSS will be triggered when viewing the settings page again
| CPE | Name | Operator | Version |
|---|---|---|---|
| broken-link-checker | lt | 1.11.20 |
Related
prion
prion
Cross site scripting
2022-12-28 11:15:00
cvelist
cvelist
CVE-2022-3922 Broken Link Checker < 1.11.20 - Admin+ Cross-Site Scripting
2022-12-28 10:37:25
openvas
openvas
WordPress Broken Link Checker Plugin < 1.11.20 XSS Vulnerability
2023-01-02 00:00:00
cve
cve
CVE-2022-3922
2022-12-28 11:15:09
nvd
nvd
CVE-2022-3922
2022-12-28 11:15:09
wpexploit
wpexploit
Broken Link Checker < 1.11.20 - Admin+ Cross-Site Scripting
2022-11-11 00:00:00