ClickWhale WordPress Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the ClickWhale WordPress plugin, specifically in the Link Manager, Link Shortener, and Click Tracker for Affiliate Links & Link Pages components, all versions through 2.4.1. The vulnerability arises from improper handling of URL parameters using add_query_arg and remove_query_arg, which allows unauthenticated attackers to inject arbitrary scripts. These scripts can execute if a user is tricked into clicking a link.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an attacker can craft a URL that exploits the vulnerable parameter handling in the WordPress admin interface. The injected script will execute if the victim clicks the link, demonstrating the cross-site scripting flaw.

Remediation

Users are advised to update the ClickWhale WordPress plugin to version 2.4.2 or later.