GCVE - cpe:2.3:a:wpmudev:broken_link_checker:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:wpmudev:broken_link_checker:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Wpmudev (`a4908a28-206b-5801-853a-92926b63e5e8`)
Product	Broken Link Checker (`2ac2a992-8f09-5a4e-96a3-458dd67c852e`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/wp-plugins/broken-link-checker`	purl2cpe	2026-06-01 10:13:30.100366
`pkg:github/wpplugins/broken-link-checker`	purl2cpe	2026-06-01 10:13:30.100369

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-4047`	vulnerable	2026-06-03 15:01:46.602810	Broken Link Checker <= 2.4.4 - Missing Autorization to Authenticated (Subscriber+) Plugin Status Dashboard View MEDIUM (4.3) The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajax_full_status and ajax_dashboard_status functions in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view the plugin's status. Published: 2025-06-03T02:27:34.395Z Updated: 2026-04-08T16:45:31.920Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/33ac910c-9531-45ea-84cf-1d379233f7d3?source=cve https://plugins.trac.wordpress.org/browser/broken-link-checker/tags/2.4.2/legacy/core/core.php#L3272 https://plugins.trac.wordpress.org/changeset/3294992/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-8981`	vulnerable	2026-06-03 14:58:20.236625	Broken Link Checker <= 2.4.0 - Reflected Cross-Site Scripting HIGH (7.1) The Broken Link Checker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg in /app/admin-notices/features/class-view.php without appropriate escaping on the URL in all versions up to, and including, 2.4.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Published: 2024-10-01T02:33:30.428Z Updated: 2026-04-08T16:48:56.756Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/429fe34a-5fa9-4032-9b21-4de114dbc9d1?source=cve https://plugins.trac.wordpress.org/changeset/3159860/broken-link-checker/trunk/app/admin-notices/features/class-view.php https://plugins.trac.wordpress.org/browser/broken-link-checker/tags/2.4.0/app/admin-notices/features/class-view.php#L43	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-2438`	vulnerable	2026-06-03 14:47:06.371146	Broken Link Checker <= 1.11.16 - Authenticated (Admin+) PHAR Deserialization HIGH (7.2) The Broken Link Checker plugin for WordPress is vulnerable to deserialization of untrusted input via the '$log_file' value in versions up to, and including 1.11.16. This makes it possible for authenticated attackers with administrative privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. Published: 2022-09-06T17:18:57.000Z Updated: 2026-04-08T16:57:11.959Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/62fd472e-208b-48db-8f98-3d935c7a678c?source=cve https://plugins.trac.wordpress.org/changeset/2757773/broken-link-checker/trunk/core/core.php?old=2605914&old_path=broken-link-checker%2Ftrunk%2Fcore%2Fcore.php https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2438	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.