Description
The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-01-29
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The plugin stores link titles without proper sanitization or encoding, allowing an attacker who can edit a link title to inject malicious JavaScript. When a victim visits a page that displays the stored title, the code executes in their browser. The injected script can perform a range of malicious actions such as stealing session cookies, defacing content, or redirecting to phishing sites. This is a classic stored cross‑site scripting flaw (CWE‑79).

Affected Systems

Affected systems are installations of the WordPress ClickWhale plugin, version 2.4.1 and earlier. The vendor is Flowdee, and the plugin is available from the WordPress plugin repository. Administrators who run an instance that has not upgraded past 2.4.1 are vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, placing it in the medium severity range. Its EPSS score is below 1 %, indicating a very low probability of exploitation at this time. It is not listed in the CISA KEV catalog. The description states that the flaw is exploitable by authenticated users with Contributor-level permissions or higher; the likely attack path is through the WordPress admin interface where the attacker can modify a link title. Because an attacker must first obtain legitimate credentials, the overall risk is mitigated compared to a purely unauthenticated vulnerability, but the potential impact remains significant.

Generated by OpenCVE AI on April 21, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ClickWhale plugin to version 2.4.2 or later, which removes the vulnerable code path.
  • If an immediate upgrade is not feasible, delete or disable the plugin until an update is applied.
  • Restrict Contributor and Editor roles to limit link editing privileges, or consider revoking these capabilities entirely.
  • Apply input validation and output encoding on all user‑provided fields to prevent XSS, following CWE‑79 best practices.

Generated by OpenCVE AI on April 21, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1877 The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 27 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Flowdee
Flowdee clickwhale
CPEs cpe:2.3:a:flowdee:clickwhale:*:*:*:*:*:wordpress:*:*
Vendors & Products Flowdee
Flowdee clickwhale

Wed, 29 Jan 2025 03:30:00 +0000

Type Values Removed Values Added
Description The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Flowdee Clickwhale
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:25.763Z

Reserved: 2025-01-28T14:53:15.819Z

Link: CVE-2025-0804

cve-icon Vulnrichment

Updated: 2025-02-12T19:46:14.283Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-29T04:15:07.193

Modified: 2025-05-23T15:27:23.890

Link: CVE-2025-0804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses