{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15483", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T20:19:08.267Z", "datePublished": "2026-02-14T06:42:34.100Z", "dateUpdated": "2026-04-08T17:21:16.779Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:16.779Z"}, "affected": [{"vendor": "ajferg", "product": "Link Hopper", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018hop_name\u2019 parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Link Hopper <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c52046-c85d-46af-b36c-41c70dad5426?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/link-hopper/trunk/linkhopper.php#L205"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "timeline": [{"time": "2025-12-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-13T18:33:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:36:32.936701Z", "id": "CVE-2025-15483", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:45:39.813Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15483", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:36:32.936701Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:36:33.631Z"}}], "cna": {"title": "Link Hopper <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ajferg", "product": "Link Hopper", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-13T18:33:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c52046-c85d-46af-b36c-41c70dad5426?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/link-hopper/trunk/linkhopper.php#L205"}], "descriptions": [{"lang": "en", "value": "The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018hop_name\u2019 parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:16.779Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15483", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:16.779Z", "dateReserved": "2026-01-07T20:19:08.267Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:34.100Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018hop_name\u2019 parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El plugin Link Hopper para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'hop_name' en todas las versiones hasta la 2.5, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de administrador, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio e instalaciones donde se ha deshabilitado unfiltered_html."}], "id": "CVE-2025-15483", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:07.067", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/link-hopper/trunk/linkhopper.php#L205"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c52046-c85d-46af-b36c-41c70dad5426?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5]"}}], "product": "link_hopper", "vendor": "ajferg"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-20T20:54:19.556459+00:00", "value": {"mitigation_remediation": ["Upgrade Link Hopper to the latest version (2.6 or newer) where the hop_name parameter is properly sanitized and escaped", "If an update is not immediately feasible, remove or disable the Link Hopper plugin from the site to eliminate the attack surface", "Restrict the unfiltered_html capability for administrators or ensure that any administrators use only trusted content editors for hop_name entries"], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via hop_name for administrators"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Link Hopper plugin, versions 2.5 and earlier, on multi\u2011site installations where the unfiltered_html capability has been disabled. Users with administrator privileges on those installations are the only ones who can add or edit hop_name values.", "description_and_impact": "The Link Hopper plugin for WordPress contains a stored cross\u2011site scripting flaw that allows authenticated administrators to inject arbitrary scripts through the hop_name parameter. Supplying a malicious value to hop_name records the script into the database; when another site visitor loads that page the script executes in the visitor's browser. The attacker can hijack sessions, steal credentials, or deface the site. The weakness is a classic input validation and output escaping failure, classified as CWE\u201179.", "risk_and_exploitability": "The flaw carries a CVSS score of 4.4, indicating moderate severity. Its EPSS score is below 1% and it is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. However, because the attack requires an administrator role, the risk is confined to sites with high\u2011privilege accounts. An attacker would need access to the WordPress admin area, create or edit a hop, and then persuade or trick a victim to visit the crafted page. In the absence of mitigation, the compromised page could compromise all subsequent users who view it."}}}}, "created": "2026-02-16T12:02:06.446926+00:00", "updated": "2026-04-20T21:00:12.963440+00:00", "vendors": ["ajferg", "ajferg$PRODUCT$link_hopper", "wordpress", "wordpress$PRODUCT$wordpress"]}