First published: Sat Jan 25 2025(Updated: )
The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Bilingual Linker | <=2.4 | |
WordPress | ||
Ylefebvre Bilingual Linker Wordpress | <2.4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-13441 is considered a high-severity vulnerability due to its potential for allowing authenticated attackers to execute stored cross-site scripting attacks.
The recommended fix for CVE-2024-13441 is to update the Bilingual Linker plugin to version 2.5 or later, which addresses the input sanitization and output escaping issues.
CVE-2024-13441 affects all versions of the Bilingual Linker plugin up to and including version 2.4 installed on WordPress sites.
Stored Cross-Site Scripting in CVE-2024-13441 involves the injection of malicious scripts that are stored on the server and executed when users access affected pages.
You can identify if your site is vulnerable to CVE-2024-13441 by checking if the Bilingual Linker plugin is installed and if it is an outdated version.