{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0804", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-28T14:53:15.819Z", "datePublished": "2025-01-29T03:21:23.753Z", "dateUpdated": "2026-04-08T17:19:25.763Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:25.763Z"}, "affected": [{"vendor": "clickwhale", "product": "ClickWhale \u2013 Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ClickWhale \u2013 Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ClickWhale \u2013 Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf41b5e1-610e-4159-9325-f7a694380050?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3219341/clickwhale/tags/2.4.2/includes/admin/links/Clickwhale_Links_List_Table.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "SOPROBRO"}], "timeline": [{"time": "2025-09-05T08:26:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-01-28T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-29T14:43:35.995251Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:51:15.237Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-29T14:43:35.995251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:46:14.283Z"}}], "cna": {"title": "ClickWhale \u2013 Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "SOPROBRO"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "flowdee", "product": "ClickWhale \u2013 Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-01-28T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf41b5e1-610e-4159-9325-f7a694380050?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3219341/clickwhale/tags/2.4.2/includes/admin/links/Clickwhale_Links_List_Table.php"}], "descriptions": [{"lang": "en", "value": "The ClickWhale \u2013 Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-01-29T03:21:23.753Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0804", "state": "PUBLISHED", "dateUpdated": "2025-02-12T19:51:15.237Z", "dateReserved": "2025-01-28T14:53:15.819Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-01-29T03:21:23.753Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flowdee:clickwhale:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4B5BC4EB-40C7-4C8F-93FA-4F5D678E0893", "versionEndExcluding": "2.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ClickWhale \u2013 Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento ClickWhale \u2013 Link Manager, Link Shortener and Click Tracker for Affiliate Links &amp; Link Pages para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los t\u00edtulos de los enlaces en todas las versiones hasta la 2.4.1 y incluida, debido a la falta de entradas desinfecci\u00f3n y de escape de salida. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitraria en las p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-0804", "lastModified": "2025-05-23T15:27:23.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-29T04:15:07.193", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3219341/clickwhale/tags/2.4.2/includes/admin/links/Clickwhale_Links_List_Table.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf41b5e1-610e-4159-9325-f7a694380050?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T22:27:25.869594+00:00", "value": {"mitigation_remediation": ["Update the ClickWhale plugin to version 2.4.2 or later, which removes the vulnerable code path.", "If an immediate upgrade is not feasible, delete or disable the plugin until an update is applied.", "Restrict Contributor and Editor roles to limit link editing privileges, or consider revoking these capabilities entirely.", "Apply input validation and output encoding on all user\u2011provided fields to prevent XSS, following CWE\u201179 best practices."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the WordPress ClickWhale plugin, version 2.4.1 and earlier. The vendor is Flowdee, and the plugin is available from the WordPress plugin repository. Administrators who run an instance that has not upgraded past 2.4.1 are vulnerable.", "description_and_impact": "The plugin stores link titles without proper sanitization or encoding, allowing an attacker who can edit a link title to inject malicious JavaScript. When a victim visits a page that displays the stored title, the code executes in their browser. The injected script can perform a range of malicious actions such as stealing session cookies, defacing content, or redirecting to phishing sites. This is a classic stored cross\u2011site scripting flaw (CWE\u201179).", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, placing it in the medium severity range. Its EPSS score is below 1\u202f%, indicating a very low probability of exploitation at this time. It is not listed in the CISA KEV catalog. The description states that the flaw is exploitable by authenticated users with Contributor-level permissions or higher; the likely attack path is through the WordPress admin interface where the attacker can modify a link title. Because an attacker must first obtain legitimate credentials, the overall risk is mitigated compared to a purely unauthenticated vulnerability, but the potential impact remains significant."}}}}, "created": "2026-04-21T22:30:06.138011+00:00", "updated": "2026-04-21T22:30:06.138024+00:00", "vendors": []}