CVE-2022-1759: 
WordPress vulnerability analysis and mitigation

The RB Internal Links WordPress plugin version 2.0.16 and below contains a Cross-Site Request Forgery (CSRF) vulnerability that could lead to Stored Cross-Site Scripting (XSS) attacks. The vulnerability was discovered and reported by Daniel Ruf, assigned CVE-2022-1759, and publicly disclosed on May 23, 2022. The vulnerability has been assigned a CVSS score of 6.1 (Medium) (WPScan).

The vulnerability exists due to the plugin lacking proper CSRF protection mechanisms when updating its settings. Additionally, there is insufficient sanitization and escaping of input data. This combination allows attackers to potentially execute both CSRF and stored XSS attacks. The vulnerability has been classified under CWE-352 and falls under the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan).

An attacker could exploit this vulnerability to make unauthorized changes to the plugin settings through a CSRF attack when an administrator is logged in. Furthermore, due to the lack of proper input sanitization, the attacker could potentially store and execute malicious JavaScript code that would affect users viewing the compromised settings (WPScan).

As of the last update, there is no known fix available for this vulnerability. Site administrators using the affected plugin should consider either removing the plugin or implementing additional security controls to prevent CSRF attacks, such as Web Application Firewalls (WPScan).