{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11263", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-03T14:17:48.450Z", "datePublished": "2025-12-06T03:27:04.735Z", "dateUpdated": "2026-04-08T17:03:01.174Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:01.174Z"}, "affected": [{"vendor": "linkwhspr", "product": "Link Whisper Free", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.8.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Link Whisper Free <= 0.8.8 - Reflected Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0cbef8-223a-44c0-a07f-28de2670da99?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3401477/link-whisper/trunk/core/Wpil/Report.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nicolai Hellesnes"}], "timeline": [{"time": "2025-11-19T16:53:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-05T14:52:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T20:50:17.829266Z", "id": "CVE-2025-11263", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T20:50:30.892Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11263", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T20:50:17.829266Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T20:50:24.780Z"}}], "cna": {"title": "Link Whisper Free <= 0.8.8 - Reflected Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Nicolai Hellesnes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "linkwhspr", "product": "Link Whisper Free", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.8.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-19T16:53:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-05T14:52:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0cbef8-223a-44c0-a07f-28de2670da99?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3401477/link-whisper/trunk/core/Wpil/Report.php"}], "descriptions": [{"lang": "en", "value": "The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:01.174Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11263", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:01.174Z", "dateReserved": "2025-10-03T14:17:48.450Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T03:27:04.735Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-11263", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T04:15:46.113", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3401477/link-whisper/trunk/core/Wpil/Report.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0cbef8-223a-44c0-a07f-28de2670da99?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:16:49.796101+00:00", "value": {"mitigation_remediation": ["Update the Link Whisper Free plugin to the latest available version (\u22650.8.9 if released).", "If an update is not available, disable or uninstall the plugin so the vulnerable parameter is no longer processed.", "Deploy a Web Application Firewall rule or ModSecurity rule that blocks scripts or suspicious input in the \"type\" parameter before it reaches WordPress.", "Add server\u2011side input validation to strip or escape any non\u2011allowed characters from the \"type\" parameter before it is rendered in page output."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site that uses the Link Whisper Free plugin version 0.8.8 or earlier, regardless of other configuration settings.", "description_and_impact": "The flaw allows an attacker to inject arbitrary scripts by supplying a crafted value for the \"type\" parameter; the input is not sanitized or escaped before being placed into page output. Because the script runs in the victim\u2019s browser when a user clicks a link containing the malicious parameter, the attacker can steal cookies, hijack sessions, or deface the page. The vulnerability is limited to unauthenticated users but requires user interaction to trigger the code execution.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate level of severity, while the EPSS score of less than 1 percent suggests a low probability of exploitation at present. The attack vector is network\u2011based, reachable through a crafted URL that must be clicked by a victim, and the flaw is not listed in CISA\u2019s KEV catalog, so no widespread incidents have been reported to date. However, the client\u2011side nature of the injection means that any user who visits the malicious link could be compromised, impacting confidentiality and integrity of that user\u2019s session."}}}}, "created": "2025-12-08T09:39:44.653094+00:00", "updated": "2026-04-22T12:30:16.826857+00:00", "vendors": ["linkwhisper", "linkwhisper$PRODUCT$link_whisper_free", "wordpress", "wordpress$PRODUCT$wordpress"]}