// For flags

CVE-2014-125105

Broken Link Checker Plugin Settings Page core.php options_page cross site scripting

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability was found in Broken Link Checker Plugin up to 1.10.1 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function options_page of the file core/core.php of the component Settings Page. The manipulation of the argument exclusion_list/blc_custom_fields leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.10.2 is able to address this issue. The patch is named 90615fe9b0b6f9e6fb254d503c302e53a202e561. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230659.

Se ha encontrado una vulnerabilidad en el plugin Broken Link Checker hasta la versión 1.10.1 en WordPress. Se ha declarado como problemática. Esta vulnerabilidad afecta a la función "options_page" del archivo "core/core.php" del componente "Settings Page". La manipulación del argumento "exclusion_list/blc_custom_fields" conduce a Cross-Site Scripting. El ataque puede lanzarse de forma remota. La actualización a la versión 1.10.2 soluciona este problema. El nombre del parche es 90615fe9b0b6f9e6fb254d503c302e53a202e561. Se recomienda actualizar el componente afectado. El identificador asociado de esta vulnerabilidad es VDB-230659.

In Broken Link Checker Plugin bis 1.10.1 für WordPress wurde eine problematische Schwachstelle ausgemacht. Hierbei betrifft es die Funktion options_page der Datei core/core.php der Komponente Settings Page. Dank der Manipulation des Arguments exclusion_list/blc_custom_fields mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Ein Aktualisieren auf die Version 1.10.2 vermag dieses Problem zu lösen. Der Patch wird als 90615fe9b0b6f9e6fb254d503c302e53a202e561 bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

The Broken Link Checker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘exclusion_list’ parameter in versions up to, and including, 1.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

*Credits: VulDB GitHub Commit Analyzer
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Multiple
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-12-05 CVE Published
  • 2023-06-03 CVE Reserved
  • 2024-08-06 CVE Updated
  • 2024-12-26 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Managewp
Search vendor "Managewp"
 Broken Link Checker
Search vendor "Managewp" for product "Broken Link Checker"
 <= 1.10.1
Search vendor "Managewp" for product "Broken Link Checker" and version " <= 1.10.1"
wordpress
Affected