A high-severity vulnerability has been identified in the Broken Link Manager WordPress plugin, impacting multiple WordPress products. This flaw could allow a low-privileged attacker to compromise the website, potentially leading to a full site takeover, data theft, or malware distribution. Organizations are urged to apply the recommended updates immediately to mitigate the significant risk of website defacement, data breaches, and reputational damage.

The vulnerability is a stored Cross-Site Scripting (XSS) flaw within the Broken Link Manager plugin. An authenticated attacker with low-level privileges (such as a contributor) can inject a malicious script into a field handled by the plugin, such as a reported broken link URL. This script is then stored in the database and is executed in the browser of a high-privileged user, like an administrator, when they view the plugin's administrative dashboard. Successful exploitation could allow the attacker to steal administrator session cookies, create new administrative accounts, or inject malicious code into the website, leading to a complete site compromise.

This vulnerability is rated as High severity with a CVSS score of 7.1. Exploitation could have a severe business impact, including the compromise of sensitive company or customer data stored on the website. An attacker gaining administrative control could deface the website, causing significant reputational damage and loss of customer trust. Furthermore, the compromised website could be used to host malware or phishing pages, potentially leading to the infection of site visitors and placing the organization at risk of being blacklisted by search engines and security vendors.

Immediate Action:

• Update: Immediately update the Broken Link Manager plugin to the latest patched version as recommended by the vendor. If your theme or other plugins bundle this functionality, ensure they are also updated.
• Review and Remove: If the Broken Link Manager plugin is not essential to business operations, the most secure course of action is to deactivate and remove it entirely. Regularly review all installed plugins and themes to remove any that are unnecessary, reducing the overall attack surface.
• Review Security Settings: Audit WordPress user accounts, removing any suspicious or unauthorized users, and enforce the principle of least privilege for all legitimate accounts.

Proactive Monitoring:

• Monitor web server and application logs for suspicious POST requests to the plugin's administrative functions, especially those containing script tags or HTML event handlers.
• Implement file integrity monitoring to detect unauthorized changes to core WordPress, plugin, or theme files.
• Regularly scan the website's database for stored XSS payloads, particularly in tables related to the Broken Link Manager plugin.

Compensating Controls:

• Web Application Firewall (WAF): Deploy a WAF with a robust ruleset designed to detect and block common XSS attack patterns. This can provide a layer of defense if immediate patching is not feasible.
• Content Security Policy (CSP): Implement a strict CSP to control which resources (e.g., scripts, styles) are allowed to be loaded, mitigating the impact of an XSS injection.
• Restrict Admin Access: Limit access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.

Public Exploit Available: false

Given the High severity (CVSS 7.1) of this vulnerability and the potential for a complete website compromise, we strongly recommend that immediate action is taken. Organizations should prioritize applying the vendor-supplied patches or removing the affected plugin without delay. Although this CVE is not currently on the CISA KEV list, the widespread use of WordPress makes it an attractive target, and proactive remediation is the most effective strategy to prevent exploitation and protect business assets.