CVE-2025-11263: Critical XSS Vulnerability Patched in Link Whisper Free Plugin

Overview

CVE-2025-11263 identifies a reflected Cross-Site Scripting (XSS) vulnerability found in the Link Whisper Free plugin for WordPress. This vulnerability affects all versions up to and including version 0.8.8. It allows unauthenticated attackers to inject arbitrary web scripts into pages if they can successfully trick a user into clicking a specially crafted link. The vulnerability stems from insufficient input sanitization and output escaping of the ‘type’ parameter.

Technical Details

The vulnerability resides within the Report.php file of the Link Whisper Free plugin. Specifically, the ‘type’ parameter is not properly sanitized before being used in the output. This lack of sanitization allows an attacker to inject malicious JavaScript code through a crafted URL. When a user clicks on this manipulated URL, the injected script executes within their browser session, potentially leading to account compromise or other malicious activities.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-11263 a score of 6.1 (MEDIUM). This score reflects the following characteristics:

• Attack Vector (AV): Network (N) – The attack can be launched remotely over the network.
• Attack Complexity (AC): Low (L) – No specialized access conditions or extenuating circumstances exist.
• Privileges Required (PR): None (N) – No privileges are required to perform the attack.
• User Interaction (UI): Required (R) – User interaction is required (e.g., clicking a link).
• Scope (S): Changed (C) – An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
• Confidentiality Impact (C): Low (L) – Limited information disclosure.
• Integrity Impact (I): Low (L) – Limited modification of data.
• Availability Impact (A): None (N) – No impact on system availability.

Possible Impact

Successful exploitation of this XSS vulnerability can have several potential consequences:

• Account Takeover: An attacker could potentially steal a user’s session cookie and hijack their WordPress account.
• Malicious Redirection: Users could be redirected to malicious websites to steal credentials or infect their systems with malware.
• Defacement: The attacker could modify the content of the affected page, leading to website defacement.
• Information Theft: Sensitive information displayed on the page could be stolen.

Mitigation or Patch Steps

The recommended mitigation is to update the Link Whisper Free plugin to the latest version. This vulnerability has been patched in versions greater than 0.8.8. Follow these steps:

1. Log in to your WordPress dashboard.
2. Navigate to Plugins > Installed Plugins.
3. Locate the Link Whisper Free plugin.
4. If an update is available, click the Update Now button.

If you are unable to update the plugin immediately, consider temporarily disabling the plugin until the update can be applied. Review your website’s security logs for any suspicious activity related to the plugin.

References

• CVE ID: CVE-2025-11263
• WordPress Plugin Changeset: https://plugins.trac.wordpress.org/changeset/3401477/link-whisper/trunk/core/Wpil/Report.php
• Wordfence Threat Intelligence: https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0cbef8-223a-44c0-a07f-28de2670da99?source=cve