CVE-2019-17207 - OpenCVE

A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Managewp	Broken Link Checker

Configuration 1 [-]

cpe:2.3:a:managewp:broken_link_checker:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/154875/WordPress-Broken-Link-Checker-1.11.8-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2019/Oct/31
https://wordpress.org/plugins/broken-link-checker/#developers
https://wpvulndb.com/vulnerabilities/9917

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-10-18T15:47:35

Updated: 2024-08-05T01:33:17.290Z

Reserved: 2019-10-05T00:00:00

Link: CVE-2019-17207

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-10-18T16:15:10.397

Modified: 2019-10-21T18:19:21.037

Link: CVE-2019-17207

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-18T15:49:30", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wordpress.org/plugins/broken-link-checker/#developers"}, {"name": "20191015 Reflected XSS via Broken Link Checker v.1.11.8 WordPress Plugin", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Oct/31"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154875/WordPress-Broken-Link-Checker-1.11.8-Cross-Site-Scripting.html"}, {"tags": ["x_refsource_MISC"], "url": "https://wpvulndb.com/vulnerabilities/9917"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-17207", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://wordpress.org/plugins/broken-link-checker/#developers", "refsource": "MISC", "url": "https://wordpress.org/plugins/broken-link-checker/#developers"}, {"name": "20191015 Reflected XSS via Broken Link Checker v.1.11.8 WordPress Plugin", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Oct/31"}, {"name": "http://packetstormsecurity.com/files/154875/WordPress-Broken-Link-Checker-1.11.8-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154875/WordPress-Broken-Link-Checker-1.11.8-Cross-Site-Scripting.html"}, {"name": "https://wpvulndb.com/vulnerabilities/9917", "refsource": "MISC", "url": "https://wpvulndb.com/vulnerabilities/9917"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:33:17.290Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wordpress.org/plugins/broken-link-checker/#developers"}, {"name": "20191015 Reflected XSS via Broken Link Checker v.1.11.8 WordPress Plugin", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Oct/31"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/154875/WordPress-Broken-Link-Checker-1.11.8-Cross-Site-Scripting.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpvulndb.com/vulnerabilities/9917"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-17207", "datePublished": "2019-10-18T15:47:35", "dateReserved": "2019-10-05T00:00:00", "dateUpdated": "2024-08-05T01:33:17.290Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:managewp:broken_link_checker:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6A8A4C2E-2795-4373-AE4A-08FEB13A87A3", "versionEndIncluding": "1.11.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de tipo XSS reflejado en el archivo includes/admin/table-printer.php en el plugin Broken-Link-Checker (tambi\u00e9n se conoce como Broken Link Checker) versi\u00f3n 1.11.8 para WordPress. Esto permite a usuarios no autorizados inyectar JavaScript del lado del cliente en una p\u00e1gina de WordPress solo para administradores por medio del par\u00e1metro s_filter de wp-admin/tools.php?page=view-broken-links en una acci\u00f3n search."}], "id": "CVE-2019-17207", "lastModified": "2019-10-21T18:19:21.037", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-18T16:15:10.397", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/154875/WordPress-Broken-Link-Checker-1.11.8-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Oct/31"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://wordpress.org/plugins/broken-link-checker/#developers"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpvulndb.com/vulnerabilities/9917"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}