{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67927", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:49.437Z", "datePublished": "2026-01-08T09:17:48.182Z", "dateUpdated": "2026-04-28T16:14:24.026Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "link-whisper", "product": "Link Whisper Free", "vendor": "Spencer Haws", "versions": [{"changes": [{"at": "0.8.9", "status": "unaffected"}], "lessThanOrEqual": "0.8.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ryan Novotny | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:54.464Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.<p>This issue affects Link Whisper Free: from n/a through <= 0.8.8.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.026Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Link Whisper Free plugin <= 0.8.8 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T14:54:38.660900Z", "id": "CVE-2025-67927", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:04:11.650Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67927", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T14:54:38.660900Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:54:41.327Z"}}], "cna": {"title": "WordPress Link Whisper Free plugin <= 0.8.8 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Ryan Novotny | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spencer Haws", "product": "Link Whisper Free", "versions": [{"status": "affected", "changes": [{"at": "0.8.9", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "0.8.8"}], "packageName": "link-whisper", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:54.464Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.<p>This issue affects Link Whisper Free: from n/a through <= 0.8.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:54.921Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67927", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:04:11.650Z", "dateReserved": "2025-12-15T09:59:49.437Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T09:17:48.182Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8."}], "id": "CVE-2025-67927", "lastModified": "2026-04-27T18:16:49.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:51.740", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T22:35:38.572173+00:00", "value": {"mitigation_remediation": ["Update the Link Whisper Free plugin to the latest version (\u2265\u202f0.8.9) which contains the XSS fix.", "If an upgrade is not possible, completely disable or delete the plugin to eliminate the vulnerable code.", "Ensure that any remaining plugin\u2011supplied input fields enforce strict input validation or sanitization to address the CWE\u201179 weakness.", "Monitor site logs for anomalous script execution and conduct regular security scans for reflected XSS issues."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress Link Whisper Free plugin for WordPress, released by Spencer Haws. Versions up to and including 0.8.8 contain the flaw.", "description_and_impact": "The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation (CWE\u201179), which allows attackers to inject malicious scripts that are executed in the context of any visitor to the affected WordPress site. By injecting crafted JavaScript through the plugin\u2019s user interface, an attacker can potentially deface the site, hijack user sessions, or exfiltrate sensitive information. The flaw does not grant direct server\u2011side code execution, but it endangers the confidentiality, integrity, and availability of users who view the affected pages.", "risk_and_exploitability": "The CVSS score of 7.1 places this vulnerability in the medium\u2011to\u2011high severity range. The EPSS score of <\u202f1\u202f% indicates that, as of the last measurement, the likelihood of automated exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is reflected XSS; an attacker would need to craft a payload that is echoed back to a user in the generated HTML, typically via plugin\u2011supplied input fields. Based on the description, it is inferred that the vulnerability originates from unsanitized user input, allowing a reasonably knowledgeable attacker to discover and exploit it with or without elevated privileges."}}}}, "created": "2026-01-09T13:25:18.640081+00:00", "updated": "2026-04-28T22:45:25.936924+00:00", "vendors": ["spencer_haws", "spencer_haws$PRODUCT$link_whisper_free", "wordpress", "wordpress$PRODUCT$wordpress"]}