Stored Cross-Site Scripting in Link Whisper Free Plugin for WordPress
CVE-2025-11262

7.2HIGH

Key Information:

Vendor: WordPress
Status: Link Whisper Free
Vendor: CVE Published:; 29 May 2026

What is CVE-2025-11262?

The Link Whisper Free plugin for WordPress is susceptible to stored cross-site scripting, primarily through the user_id parameter. This vulnerability stems from inadequate sanitization and escaping of user inputs, allowing unauthenticated attackers to inject malicious web scripts. Consequently, these scripts can execute upon access, posing significant risks to users accessing affected pages.

Affected Version(s)

Link Whisper Free 0 <= 0.9.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/link-whisper/t...

https://wordpress.org/plugins/link-whisper/#developers

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
Oct 3, 2025

Credit

Michael Mazzolini

CVE-2025-11262 Data

JSON