CVE-2026-22357

Vulnerability

Details

The Link Whisper Free plugin for WordPress versions 0.9.2 and earlier suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows attackers to embed arbitrary JavaScript code into a URL that, when visited by a user, executes in the context of the victim's browser.

Exploitation

Exploitation requires user interaction: a victim must click a malicious link or visit a crafted page. While the vulnerability can be initiated by any user (no authentication required for the attacker to inject the payload), successful attack depends on a privileged user (e.g., site admin) performing the action [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting websites regardless of size [1].

Impact

A successful attack enables the attacker to execute arbitrary scripts in the victim's browser, which can lead to session hijacking, redirection to malicious sites, display of advertisements, or defacement [1]. The CVSS v3 base score is 7.1 (High), indicating significant potential for harm [1].

Mitigation

The vendor has released version 0.9.3 which patches the vulnerability. Users are strongly advised to update immediately. If updating is not possible, implementing a web application firewall rule (e.g., Patchstack's mitigation) can block attacks until the update is applied [1].