Reflected Cross-site Scripting (XSS) Vulnerability in Link Whisper Free
CVE-2024-27992

7.1HIGH

Key Information:

Vendor: WordPress
Status: Link Whisper Free
Vendor: CVE Published:; 11 April 2024

Summary

The Link Whisper Free plugin for WordPress is vulnerable to reflected cross-site scripting (XSS) due to improper handling of user input during web page generation. This security flaw enables attackers to inject arbitrary JavaScript into the affected application, which can be executed in the context of users visiting the compromised site. Consequently, this may lead to session hijacking, defacement, or redirection to malicious websites if a user is tricked into clicking a crafted link. Users are advised to review and update to the latest version to mitigate potential risks associated with this vulnerability.

Affected Version(s)

Link Whisper Free <= 0.6.8

References

https://patchstack.com/database/vulnerability/link-whispe...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 11, 2024
Vulnerability Reserved
Feb 29, 2024

Credit

Dimas Maulana (Patchstack Alliance)