Description
The Link Fixer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via broken links in all versions up to, and including, 3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-01-31
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Link Fixer WordPress plugin contains a stored cross‑site scripting vulnerability in all releases up to and including 3.4. The flaw arises because broken links entered by users are not properly sanitized or escaped before being written to the database and later rendered in page content. An unauthenticated attacker can insert arbitrary JavaScript that will be persisted and executed whenever any site visitor loads a page containing the injected link. This can compromise user credentials, deface the site, or facilitate phishing attacks.

Affected Systems

The affected asset is the WordPress plugin Link Fixer (by kpgraham) version 3.4 and earlier. These versions may be installed on any WordPress site that has the plugin activated. No other software products are directly cited as impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity assessment. Although the EPSS score is below 1%, indicating low current exploitation probability, the vulnerability allows unauthenticated users to inject malicious payloads that run with the privileges of site visitors. The flaw is not listed in the CISA KEV catalog, but the absence of a public exploit does not mitigate the risk to sites that rely on the plugin. Attackers would need only to create a link containing malicious code; once the link is stored, every subsequent user that views the page will be affected. The lack of authentication requirements and the ability to impact a broad audience mean that, if exploited, the damage could be significant.

Generated by OpenCVE AI on April 22, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Link Fixer plugin to a version newer than 3.4, or install a patched release that properly sanitizes and escapes broken links.
  • If an upgrade is not immediately possible, disable the plugin until a fix is available, or restrict the use of the feature that accepts untrusted link input.
  • Implement a Content Security Policy that blocks inline script execution on the affected pages to reduce the impact of any stored script that might still be present.

Generated by OpenCVE AI on April 22, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1880 The Link Fixer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via broken links in all versions up to, and including, 3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00181}

 epss

{'score': 0.0023}

Fri, 31 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Link Fixer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via broken links in all versions up to, and including, 3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Link Fixer <= 3.4 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Kpgraham Link Fixer Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:17.401Z

Reserved: 2025-01-28T15:13:51.169Z

Link: CVE-2025-0809

cve-icon Vulnrichment

Updated: 2025-01-31T16:50:33.847Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T06:15:29.933

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses