CVE-2025-11262
Description
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Link Whisper Free plugin for WordPress up to 0.9.0 has a stored XSS vulnerability via the user_id parameter, allowing unauthenticated attackers to inject arbitrary scripts.
Vulnerability
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 0.9.0. The vulnerability resides in the user_id parameter, which is insufficiently sanitized and escaped before output. This flaw occurs in the context provided by the plugin's core component at /core/Wpil/Settings.php line 883 [2]. An attacker can inject arbitrary web scripts that are stored and executed whenever a user accesses the affected page. No special configuration is required; the vulnerable code path is reachable in default installations.
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious JavaScript or HTML in the user_id parameter. No authentication or elevated privileges are needed, and there is no requirement for user interaction during the injection phase. The injected payload is stored in the database and triggers when any authenticated user (including administrators) visits the page where the payload is rendered. The attack does not require a race condition or any write access beyond the HTTP request itself.
Impact
Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is a full compromise of confidentiality and integrity within the scope of the affected WordPress admin or frontend pages, depending on where the injected script runs. The attacker gains no direct server-side access but can leverage the victim's privileges for further attacks.
Mitigation
The vendor has not yet released a patched version as of the publication date. As of version 0.9.0, the plugin remains vulnerable. Users should monitor the plugin's changelog at [1] for a security update. If no fix is available, a temporary workaround is to disable the plugin until a patch is applied. There is no indication that this CVE is listed in the KEV catalog.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=0.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.