Tobias Fink

**Name of the Vulnerable Software and Affected Versions** broken-link-checker plugin version 1.11.8 **Description** A reflected XSS issue was found in the broken-link-checker plugin for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the `s filter` parameter in a search action on the `wp-admin/tools.php?page=view-broken-links` endpoint. **Recommendations** For broken-link-checker plugin version 1.11.8, consider disabling access to the `wp-admin/tools.php?page=view-broken-links` endpoint until a patch is available, and avoid using the `s filter` parameter in search actions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Events Manager plugin versions through 5.9.5 **Description** The issue arises from improper encoding and insertion of data provided to the `map style` attribute of shortcodes, specifically `locations map` and `events map`, leading to Stored XSS. **Recommendations** For versions through 5.9.5, update to a version that contains a fix for this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Wordpress Broken Link Checker plugin versions prior to 1.10.9 **Description** A cross-site scripting (XSS) issue exists in the Wordpress admin panel. This occurs when the Broken Link Checker plugin is installed. **Recommendations** For Wordpress Broken Link Checker plugin versions prior to 1.10.9, update to version 1.10.9 or later to resolve the issue.