Here’s an older advisory with the same issue from an apparently different source: http://seclists.org/fulldisclosure/2015/Mar/23
Does this fix it (edit to newsletter/statistics/link.php):
$site_url = parse_url( get_site_url() );
$site_domain = $site_url['host'];
$input_url = parse_url( $url );
$input_domain = $input_url['host'];
if ($site_domain == $input_domain) $header('Location: ' . $url);
Chris – I would probably use the === operator for comparing the two domain strings, apart from that it looks like it should work (not tested). Let me know when it has been fixed and we can mark as so on wpvulndb.com.
Domain checking is not good, many marketing emails are sent linking external services (for example affiliates).
Version 3.8.3 has a control key on the rewritten urls. For old link a intermediate page is shown where the destination url (not verified with a valid key) is explicitely shown.
