First published: Wed May 08 2024(Updated: )
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'link-library' shortcode in all versions up to, and including, 7.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Ylefebvre Link Library | <=7.6.11 | |
Ylefebvre Link Library | <7.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-4281 is rated as a medium severity vulnerability due to its potential for Stored Cross-Site Scripting.
To fix CVE-2024-4281, upgrade the Link Library plugin to version 7.7 or later which addresses the input sanitization issues.
CVE-2024-4281 affects all versions of the Link Library plugin for WordPress up to and including version 7.6.11.
CVE-2024-4281 can be exploited to launch Stored Cross-Site Scripting attacks against authenticated users of the affected WordPress site.
Yes, the 'link-library' shortcode is specifically vulnerable in CVE-2024-4281 due to inadequate input sanitization and output escaping.