CVE-2025-12629
Description
The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Broken Link Manager plugin (<=0.6.5) fails to sanitize a parameter, leading to reflected XSS that can target admin users.
The Broken Link Manager WordPress plugin, in versions up to and including 0.6.5, contains a reflected cross-site scripting (XSS) vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page, allowing an attacker to inject arbitrary JavaScript code [1].
To exploit this vulnerability, an attacker must trick a high-privilege user, such as an administrator, into clicking a crafted link. The attack does not require authentication but relies on social engineering to deliver the malicious URL. The injected script executes in the context of the victim's session [1].
Successful exploitation could allow an attacker to perform actions on behalf of the targeted administrator, such as creating new accounts, modifying site settings, or injecting malicious content. This can lead to full compromise of the WordPress site, as reflected XSS against high-privilege users can be used to escalate privileges [1].
As of the advisory publication, no fix is available. Users are urged to review alternatives or apply strict content security policies. The vulnerability is publicly disclosed and poses an increased risk for sites with multiple administrators [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=0.6.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.