CVE-2025-11262: WordPress Link Whisper Free Plugin Stored XSS Vulnerability

The Link Whisper Free plugin for WordPress, in versions up to and including 0.9.0, contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-11262. This vulnerability stems from insufficient input sanitization and output escaping of the user_id parameter. An unauthenticated attacker can exploit this vulnerability by injecting malicious JavaScript code into the WordPress database. When a logged-in user accesses a page containing the injected script, the script executes within their browser session, potentially leading to session hijacking, sensitive information theft, or other malicious activities. This vulnerability poses a significant risk to WordPress sites using the affected plugin versions, as it allows attackers to compromise user accounts and potentially gain administrative control over the site.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using the Link Whisper Free plugin version 0.9.0 or earlier.
2. The attacker crafts a malicious HTTP request targeting a page or functionality that utilizes the user_id parameter without proper sanitization.
3. The malicious request injects a JavaScript payload into the user_id parameter.
4. The WordPress application stores the attacker’s payload in the database without proper sanitization or escaping.
5. A legitimate, authenticated user accesses a page or functionality that retrieves and displays the unsanitized user_id parameter from the database.
6. The injected JavaScript payload executes within the user’s browser session.
7. The attacker’s script can perform actions such as stealing cookies, redirecting the user to a malicious site, or modifying content on the page.
8. The attacker gains unauthorized access or control through the compromised user session.

Impact

Successful exploitation of CVE-2025-11262 allows an unauthenticated attacker to inject malicious JavaScript code into a WordPress site. This injected code can then be executed in the browser of any user who views the affected content. The impact of this vulnerability can range from defacement and redirection to the theft of sensitive information, such as user credentials and session cookies, ultimately enabling account takeover. Given the widespread use of WordPress, this vulnerability could potentially impact a large number of websites and users.

Recommendation

• Upgrade the Link Whisper Free plugin to the latest available version to remediate CVE-2025-11262.
• Deploy the provided Sigma rule Detect WordPress Link Whisper XSS Attempt to your SIEM system to identify potential exploitation attempts.
• Implement input validation and output encoding for all user-supplied data, especially within WordPress plugins, to prevent XSS vulnerabilities.
• Regularly audit WordPress plugins for security vulnerabilities and promptly apply available patches.