CVE-2022-2438

Name of the Vulnerable Software and Affected Versions Broken Link Checker plugin for WordPress versions up to, and including 1.11.16

Description The Broken Link Checker plugin for WordPress is vulnerable to deserialization of untrusted input via the $log file value. This allows authenticated attackers with administrative privileges and above to call files using a PHAR wrapper, which can deserialize the data and call arbitrary PHP Objects. These objects can be used to perform malicious actions if a POP chain is also present. The attack requires the attacker to successfully upload a file with the serialized payload.

Recommendations For versions up to, and including 1.11.16, update to a version that contains a fix for this issue to prevent deserialization of untrusted input. As a temporary workaround, consider restricting access to the $log file value to minimize the risk of exploitation.