Vulnerabilities and security researches forbroken-link-checker broken-link-checker

Jun 06, 2024

CVE, Research URL: CVE-2022-2438
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Sep 06, 2022
Research Description: The Broken Link Checker plugin for WordPress is vulnerable to deserialization of untrusted input via the '$log_file' value in versions up to, and including 1.11.16. This makes it possible for authenticated attackers with administrative privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2019-17207
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Oct 18, 2019
Research Description: A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2019-16521
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Oct 16, 2019
Research Description: The broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link Checker) is susceptible to Reflected XSS due to improper encoding and insertion of an HTTP GET parameter into HTML. The filter function on the page listing all detected broken links can be exploited by providing an XSS payload in the s_filter GET parameter in a filter_id=search request. NOTE: this is an end-of-life product.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2015-5057
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Aug 18, 2017
Research Description: Cross-site scripting (XSS) vulnerability exists in the Wordpress admin panel when the Broken Link Checker plugin before 1.10.9 is installed.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-3922
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Dec 28, 2022
Research Description: The Broken Link Checker WordPress plugin before 1.11.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2014-125105
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Jun 05, 2023
Research Description: A vulnerability was found in Broken Link Checker Plugin up to 1.10.1 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function options_page of the file core/core.php of the component Settings Page. The manipulation of the argument exclusion_list/blc_custom_fields leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.10.2 is able to address this issue. The patch is named 90615fe9b0b6f9e6fb254d503c302e53a202e561. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230659.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2015-10098
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Apr 08, 2023
Research Description: A vulnerability was found in Broken Link Checker Plugin up to 1.10.5 on WordPress. It has been rated as problematic. Affected by this issue is the function print_module_list/show_warnings_section_notice/status_text/ui_get_action_links. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.10.6 is able to address this issue. The name of the patch is f30638869e281461b87548e40b517738b4350e47. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225152.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-25592
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Mar 15, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Broken Link Checker allows Stored XSS.This issue affects Broken Link Checker: from n/a through 2.2.3.
Affected versions: Min -, max -.
Status: vulnerable

Oct 01, 2024

CVE, Research URL: CVE-2024-8981
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Oct 01, 2024
Research Description: The Broken Link Checker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg in /app/admin-notices/features/class-view.php without appropriate escaping on the URL in all versions up to, and including, 2.4.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Dec 27, 2024

CVE, Research URL: CVE-2024-10903
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Dec 26, 2024
Research Description: The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation.
Affected versions: Min -, max -.
Status: vulnerable

Jun 05, 2025

CVE, Research URL: CVE-2025-4047
Home page URL: Security reports for Broken Link Checker
Application: Broken Link Checker
Date: Jun 03, 2025
Research Description: The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajax_full_status and ajax_dashboard_status functions in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view the plugin's status.
Affected versions: Min -, max -.
Status: vulnerable