CVE-2025-14063

The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in all versions up to, and including, 1.7.9.9.1. The vulnerability exists because the plugin fails to properly sanitize input and escape output for the 'google_error' parameter, allowing injection of arbitrary web scripts [1].

An unauthenticated attacker can exploit this by crafting a malicious link that includes a google_error parameter containing JavaScript code. The attack requires user interaction, as the victim must be tricked into clicking the crafted link. The malicious script then executes in the context of the victim's browser session within the WordPress admin or public-facing pages where the parameter is reflected [1].

The impact is the execution of arbitrary scripts in the victim's browser, which can lead to session hijacking, credential theft, or defacement of the affected WordPress site. Since the plugin integrates with Google Search Console and manages internal links, a successful attack could potentially compromise administrative actions or sensitive data if the victim is an admin [1].

As of the publication date, a patched version (1.7.9.9.2 or later) is expected to be available. The vendor should be contacted for the latest fix. Users are advised to update immediately and consider disabling the plugin until patched. No workarounds are currently provided [1].