CVE-2024-37888

MEDIUM

mlewand/open_link < 1.0.5 - Stored Cross-Site Scripting via Link Href Attribute

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-37888. PoCs published by 7Ragnarok7.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2024-37888, an XSS vulnerability in the Open Link plugin for CKEditor 4. The exploit demonstrates how crafted links can execute arbitrary JavaScript when clicked within the editor.

Description

The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**.

Exploits (1)

nomisec WORKING POC 3 stars

by 7Ragnarok7 · poc

https://github.com/7Ragnarok7/CVE-2024-37888

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2024-37888, an XSS vulnerability in the Open Link plugin for CKEditor 4. The exploit demonstrates how crafted links can execute arbitrary JavaScript when clicked within the editor.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: CKEditor 4 with Open Link plugin < 1.0.5

No auth needed

Prerequisites: CKEditor 4 installed · Open Link plugin version < 1.0.5 enabled

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm

Scores

CVSS v3 6.1

EPSS 0.0086

EPSS Percentile 53.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

mlewand/open_link < 1.0.5

Published Jun 14, 2024

Tracked Since Feb 18, 2026