External Links in New Window / New Tab < 1.43 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible.

Proof of Concept

On any post on the affected site, add the following link to a comment:



<a href="http://domain.tld/'-alert(1)-'/">Click here for XSS</a>



Click on the link, you should be getting an alert box.