CVE-2025-62898

Vulnerability

The WordPress Links shortcode plugin (versions up to and including 1.8.3) contains a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This allows an attacker to inject arbitrary web scripts into pages that will be executed when other users visit the site.

Exploitation

Exploitation requires that a user with at least contributor-level privileges interacts with a crafted link or page [1]. The vulnerability can be initiated by a privileged user, but successful execution depends on additional user interaction, such as clicking a malicious link or submitting a form [1]. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites.

Impact

An attacker can inject malicious scripts, including redirects, advertisements, and other HTML payloads [1]. These scripts execute in the context of the victim's browser, potentially leading to credential theft, site defacement, or further compromise of the WordPress installation.

Mitigation

Users are strongly advised to update the Links shortcode plugin to a version newer than 1.8.3 as soon as possible [1]. If unable to update, contact your hosting provider or web developer for assistance. Patchstack has identified this vulnerability and recommends immediate action due to its potential for mass exploitation.