CVE-2025-48110

Vulnerability

Overview

The Link View plugin for WordPress, versions up to and including 0.8.0, contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This improper neutralization allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors.

Exploitation

Details

Exploitation requires a privileged user (such as an administrator or editor) to perform an action, such as clicking a crafted link or visiting a specially prepared page [1]. Once triggered, the injected script is stored and will execute when any user visits the affected page, making it a persistent threat.

Impact

A successful attack can lead to the execution of malicious scripts, including redirects to attacker-controlled sites, injection of advertisements, or other HTML payloads [1]. This can compromise the integrity of the website and potentially lead to further attacks against visitors.

Mitigation

The vulnerability affects all versions up to and including 0.8.0. Users are advised to update the plugin immediately to a patched version if available [1]. If an update is not possible, users should contact their hosting provider or web developer for assistance. This vulnerability is known to be used in mass-exploit campaigns, so prompt action is recommended.