CVE-2024-1663 in Ultimate Noindex Nofollow Tool II Plugin
Summary
by MITRE • 05/16/2025
The Ultimate Noindex Nofollow Tool II WordPress plugin before 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/11/2025
The vulnerability identified as CVE-2024-1663 affects the Ultimate Noindex Nofollow Tool II WordPress plugin version prior to 1.3.6, presenting a critical security risk through stored cross-site scripting exploits. This flaw specifically targets the plugin's handling of user settings, where insufficient sanitization and escaping of input data creates persistent XSS attack vectors. The vulnerability is particularly concerning because it can be exploited by users with administrative privileges, even in environments where the unfiltered_html capability has been restricted, such as in multisite WordPress configurations.
The technical implementation of this vulnerability stems from the plugin's failure to properly validate and escape user-supplied input within its administrative settings interface. When administrators configure the plugin's noindex and nofollow parameters, the data is stored in the WordPress database without adequate sanitization processes. This creates a persistent XSS condition where malicious scripts can be injected into the plugin's settings and subsequently executed whenever the settings page is accessed by authenticated users. The vulnerability operates under CWE-79 which classifies the issue as Cross-Site Scripting, specifically targeting stored XSS scenarios where the malicious payload is permanently stored on the server.
The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to escalate privileges, steal user sessions, or manipulate plugin functionality. In multisite environments where the unfiltered_html capability is typically restricted to prevent unauthorized HTML injection, this vulnerability undermines the security model by allowing administrators to bypass these protections through the plugin's settings. The attack surface is particularly wide because the vulnerability affects the core WordPress administrative interface, potentially enabling attackers to establish persistent access or conduct further reconnaissance within the affected WordPress installations.
Mitigation strategies for this vulnerability require immediate plugin updates to version 1.3.6 or later, which includes proper sanitization and escaping mechanisms for user inputs. Administrators should also implement additional security measures such as regular security audits of installed plugins, monitoring for unauthorized changes to plugin settings, and maintaining up-to-date security practices including role-based access controls. The vulnerability demonstrates the importance of input validation in WordPress plugin development and aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter, particularly when considering the potential for malicious script execution. Organizations should also consider implementing web application firewalls to detect and prevent exploitation attempts, while ensuring that all WordPress installations maintain current security patches and follow secure coding practices for custom plugin development.