Internal Links Manager
Monthly
Cross-Site Scripting in the Internal Links Manager WordPress plugin (versions 3.0.3 and earlier, by webraketen) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script escapes the vulnerable component's boundary and can act against other WordPress users, including administrators. There is no public exploit identified and it is not on CISA KEV, though Patchstack has publicly documented the flaw.
Cross-Site Scripting in the Internal Links Manager WordPress plugin (versions 3.0.3 and earlier, by webraketen) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script escapes the vulnerable component's boundary and can act against other WordPress users, including administrators. There is no public exploit identified and it is not on CISA KEV, though Patchstack has publicly documented the flaw.