CVE-2025-11262: Link Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
Link Whisper Free, a WordPress plugin, contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially allowing attackers to steal credentials, redirect users, or perform actions on their behalf. The vulnerability stems from improper handling of the user_id parameter and affects all versions up to 0.9.0.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-11262 is a Stored XSS vulnerability (CWE-79) in Link Whisper Free versions ≤0.9.0, arising from insufficient input sanitization and output escaping of the user_id parameter. The vulnerability permits unauthenticated attackers to craft malicious payloads that persist in the application's data store. When any user accesses a page containing the injected payload, the attacker's script executes in the user's browser context with the privileges of that user. The CVSS 3.1 score of 7.2 (HIGH) reflects the network-accessible attack vector, low complexity, no privilege requirement, and the cross-site scope of potential impact.
Business impact
A compromised WordPress site running Link Whisper Free can become a vector for widespread user compromise. Attackers may harvest login credentials from site administrators and visitors, inject malware into the site's content, redirect users to phishing pages, or perform unauthorized actions (such as modifying site configuration or creating backdoor accounts). For organizations relying on Link Whisper for content optimization, this vulnerability can undermine visitor trust and compliance posture—particularly if personal data or payment information traverses the affected site.
Affected systems
Link Whisper Free plugin for WordPress, all versions up to and including 0.9.0. Any WordPress site with Link Whisper Free installed is vulnerable regardless of server architecture, PHP version, or WordPress core version. The vulnerability is accessible to unauthenticated remote attackers, making the attack surface broad.
Exploitability
The vulnerability is readily exploitable. No authentication, special privileges, or user interaction beyond visiting an injected page is required for the attack to succeed. The attacker simply crafts a malicious payload in the user_id parameter and triggers the plugin's data storage mechanism; subsequent visitors execute the injected script automatically. Given the ubiquity of WordPress and the popularity of optimization plugins, exploit development and detection evasion are straightforward, making this vulnerability attractive to malware distributors and opportunistic attackers.
Remediation
Update Link Whisper Free to a version released after 0.9.0 that addresses input sanitization and output escaping of the user_id parameter. Website administrators should verify the patched version is available in their WordPress plugin repository or directly from the plugin developer. Simultaneously, scan the site for evidence of prior exploitation (injected scripts in post/page content, unusual database entries, or suspicious user accounts) and review access logs for anomalous user_id parameter values.
Patch guidance
1. Back up your WordPress database and files before applying any updates. 2. Navigate to WordPress Admin > Plugins and identify Link Whisper Free. 3. Verify that a patched version (version number beyond 0.9.0) is available and install it immediately. 4. Test your site functionality post-update to confirm content optimization features work as expected. 5. If no patched version is available, disable and remove the plugin temporarily until a fix is released, then re-enable once the patch is deployed. 6. Enable automatic plugin updates if your hosting environment and security posture permit.
Detection guidance
Monitor WordPress logs and database audit trails for: (1) unusual entries in the user_id parameter with script-like content (e.g., <script>, javascript:, onerror=), (2) unexpected modifications to post or page content, (3) admin users created by non-administrators, and (4) repeated access attempts with encoded or obfuscated payloads. Use WordPress security plugins (e.g., Wordfence, iThemes Security) to scan for stored malware signatures and check file integrity. Review access logs for requests containing suspicious query strings targeting the plugin's parameter handling.
Why prioritize this
HIGH priority due to the combination of unauthenticated accessibility, stored persistence, cross-site payload scope, and direct impact on site visitors. Unlike reflected XSS, stored XSS affects all users who visit the compromised page, multiplying impact. The LOW complexity of exploitation and absence of CVSS authentication requirements make this a top target for mass exploitation campaigns. Any organization running Link Whisper Free should patch immediately.
Risk score, explained
CVSS 3.1 score 7.2 (HIGH) reflects: Network attack vector (AV:N) = remotely exploitable; Low complexity (AC:L) = no special conditions required; No privilege requirement (PR:N) = unauthenticated attackers can exploit; No user interaction (UI:N) = payload executes on page load; Changed scope (S:C) = affects other users and systems beyond the vulnerable component. Confidentiality and Integrity impacts (C:L/I:L) acknowledge that injected scripts can exfiltrate data or alter page behavior, though Availability is not directly impacted (A:N).
Frequently asked questions
Can this vulnerability be exploited if I have Link Whisper Free disabled but still installed?
Yes. Disabled plugins still load certain PHP files and functionality. To eliminate risk, either update to a patched version or remove the plugin entirely.
Does updating WordPress core or other plugins help mitigate this?
No. This vulnerability is specific to Link Whisper Free's handling of the user_id parameter. Only updating Link Whisper Free itself addresses the root cause. However, a Web Application Firewall (WAF) configured to detect and block XSS payloads may provide temporary protection while you patch.
What should I do if I discover a stored XSS payload already injected into my site?
Immediately: (1) Create a backup, (2) Isolate the site if feasible, (3) Update Link Whisper Free, (4) Manually inspect and remove any injected content from posts/pages, (5) Reset all passwords for admin and key users, (6) Scan for backdoor accounts and malware, (7) Review access logs to determine attack duration and scope.
Is Link Whisper Free still safe to use after patching?
Yes, provided you apply the patch promptly and remain current with updates. Verify the patch version is ≥0.9.1 or higher (confirm the exact patched version in the plugin repository) and test thoroughly before deploying to production.
This analysis is provided for informational purposes and reflects details available as of the publication date. Patch version numbers and availability should be verified directly with the WordPress plugin repository or Link Whisper's official vendor. Organizations must conduct their own risk assessment and testing. SEC.co does not provide warranty or guarantee regarding the completeness or accuracy of remediation steps. Consult your organization's security and compliance team before implementing changes in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-33245HIGHReact Router 7.7.0-7.13.1 RSC XSS Vulnerability – Patch Available