CVE-2022-2600
Auto-hyperlink URLs <= 5.4.1 - Tab Nabbing
In short
The Auto-hyperlink URLs plugin fails to protect links it creates, allowing websites you click on to take control of your browser tab and redirect you to a phishing site. This happens because the plugin doesn't add security attributes that prevent this hijacking.
Technical detail
The plugin generates external links without setting rel="noopener noreferrer" attributes, allowing target websites to access the source window object via window.opener and perform tab nabbing attacks. An attacker can redirect the original tab to a phishing page while the user is viewing the opened site, requiring no user interaction beyond the initial click.
Summary generated and translated by AI from the official description.
The Auto-hyperlink URLs WordPress plugin through 5.4.1 does not set rel="noopener noreferer" on generated links, which can lead to Tab Nabbing by giving the target site access to the source tab through the window.opener DOM object.
Affected products
Unknown · Auto-hyperlink URLsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →