Link Whisper Free Plugin — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/link-whisper-free-plugin/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 29 May 2026 08:17:03 +0000CVE-2025-11262: WordPress Link Whisper Free Plugin Stored XSS Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-cve-2025-11262-xss/Fri, 29 May 2026 08:17:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2025-11262-xss/The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS), allowing unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user accesses the injected page, affecting versions up to and including 0.9.0.The Link Whisper Free plugin for WordPress, in versions up to and including 0.9.0, contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-11262. This vulnerability stems from insufficient input sanitization and output escaping of the user_id parameter. An unauthenticated attacker can exploit this vulnerability by injecting malicious JavaScript code into the WordPress database. When a logged-in user accesses a page containing the injected script, the script executes within their browser session, potentially leading to session hijacking, sensitive information theft, or other malicious activities. This vulnerability poses a significant risk to WordPress sites using the affected plugin versions, as it allows attackers to compromise user accounts and potentially gain administrative control over the site.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress site using the Link Whisper Free plugin version 0.9.0 or earlier.
  2. The attacker crafts a malicious HTTP request targeting a page or functionality that utilizes the user_id parameter without proper sanitization.
  3. The malicious request injects a JavaScript payload into the user_id parameter.
  4. The WordPress application stores the attacker’s payload in the database without proper sanitization or escaping.
  5. A legitimate, authenticated user accesses a page or functionality that retrieves and displays the unsanitized user_id parameter from the database.
  6. The injected JavaScript payload executes within the user’s browser session.
  7. The attacker’s script can perform actions such as stealing cookies, redirecting the user to a malicious site, or modifying content on the page.
  8. The attacker gains unauthorized access or control through the compromised user session.

Impact

Successful exploitation of CVE-2025-11262 allows an unauthenticated attacker to inject malicious JavaScript code into a WordPress site. This injected code can then be executed in the browser of any user who views the affected content. The impact of this vulnerability can range from defacement and redirection to the theft of sensitive information, such as user credentials and session cookies, ultimately enabling account takeover. Given the widespread use of WordPress, this vulnerability could potentially impact a large number of websites and users.

Recommendation

  • Upgrade the Link Whisper Free plugin to the latest available version to remediate CVE-2025-11262.
  • Deploy the provided Sigma rule Detect WordPress Link Whisper XSS Attempt to your SIEM system to identify potential exploitation attempts.
  • Implement input validation and output encoding for all user-supplied data, especially within WordPress plugins, to prevent XSS vulnerabilities.
  • Regularly audit WordPress plugins for security vulnerabilities and promptly apply available patches.
]]>mediumadvisorywordpressxssplugin