CVE-2024-0657 in Internal Link Juicer Plugin
Summary
by MITRE • 02/09/2024
The Internal Link Juicer: SEO Auto Linker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as 'ilj_settings_field_links_per_page' in all versions up to, and including, 2.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-0657 affects the Internal Link Juicer: SEO Auto Linker WordPress plugin, specifically targeting versions up to and including 2.23.4. This represents a critical security flaw that exploits stored cross-site scripting vulnerabilities within the plugin's administrative settings. The vulnerability manifests through the 'ilj_settings_field_links_per_page' parameter, which fails to implement proper input sanitization and output escaping mechanisms. Security researchers have classified this issue as a stored XSS vulnerability, meaning that malicious scripts can be permanently stored on the server and executed whenever authorized users access affected pages. The flaw particularly impacts multi-site WordPress installations where the unfiltered_html capability has been disabled, creating a dangerous attack surface for authenticated administrators who possess administrative privileges.
The technical implementation of this vulnerability stems from inadequate validation of user-supplied input within the plugin's administrative interface. When administrators modify the 'ilj_settings_field_links_per_page' setting, the plugin fails to properly sanitize or escape the input before storing it in the database. This insufficient sanitization allows attackers to inject malicious JavaScript code that gets stored as part of the plugin's configuration. The vulnerability operates under CWE-79 which specifically addresses Cross-Site Scripting flaws, and aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: JavaScript. The stored nature of this vulnerability means that the malicious payload persists in the database, executing automatically whenever affected pages are rendered to authenticated users with sufficient privileges.
The operational impact of CVE-2024-0657 is severe and multifaceted, particularly for WordPress multi-site environments where administrators can execute arbitrary code on behalf of other users. An attacker with administrative access can inject malicious scripts that could steal session cookies, redirect users to malicious domains, or perform actions on behalf of authenticated users. The vulnerability affects not just the immediate administrative interface but extends to any page that displays content processed through the compromised plugin. This creates a potential attack vector for privilege escalation, data exfiltration, and persistent backdoor establishment within the WordPress environment. The requirement for administrator-level access to exploit this vulnerability does not diminish its severity, as administrative accounts typically possess extensive system privileges and can cause significant damage.
Organizations affected by this vulnerability should immediately update to the latest version of the Internal Link Juicer plugin where the XSS flaw has been patched. The mitigation strategy should include implementing proper input validation and output escaping mechanisms throughout the plugin's administrative interfaces. Security teams should conduct comprehensive audits of all installed WordPress plugins to identify similar vulnerabilities that may exist in other third-party components. Additionally, implementing network monitoring and web application firewalls can help detect and prevent exploitation attempts. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping as fundamental security practices, particularly in administrative interfaces where privileged users interact with potentially untrusted input data. Organizations should also consider implementing role-based access controls and regular security assessments of their WordPress installations to prevent similar vulnerabilities from being exploited in the future.