cleantalk
Vulnerabilities and Security Researches

Broken Link Checker, CVE-2022-2438

CVE, Research URL

CVE-2022-2438

Home page URL

Security reports for Broken Link Checker

Application

Broken Link Checker

Published on
Sep 06, 2022
Research Description
The Broken Link Checker plugin for WordPress is vulnerable to deserialization of untrusted input via the '$log_file' value in versions up to, and including 1.11.16. This makes it possible for authenticated attackers with administrative privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected versions
Min -, max 1.9.2.
Status
vulnerable
Previous vulnerability researches
URL Shortener | Conversion Tracking | AB Testing | WooCommerce (CVE-2025-1362) , Mar 05, 2025
URL Shortener | Conversion Tracking | AB Testing | WooCommerce (CVE-2025-1363) , Mar 05, 2025
URL Shortener | Conversion Tracking | AB Testing | WooCommerce (CVE-2024-13868) , Mar 05, 2025
URL Shortener | Conversion Tracking | AB Testing | WooCommerce (CVE-2025-23789) , Feb 16, 2025
Broken Link Checker for YouTube (CVE-2023-48281) , Jun 07, 2024
New vulnerability
The Plus Addons for Elementor (CVE-2025-49076) , Jun 06, 2025
WP Pipes (CVE-2025-48267) , Jun 06, 2025
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, (CVE-2025-5292) , Jun 06, 2025
Newsletters (CVE-2025-4857) , Jun 06, 2025
Royal Elementor Addons and Templates (CVE-2025-3813) , Jun 06, 2025