The WP to LinkedIn Auto Publish WordPress plugin contains a reflected cross‑site scripting vulnerability caused by insufficient input sanitization and output escaping in a PostMessage handler. An unauthenticated attacker can supply a crafted link that, when a user clicks it, injects arbitrary JavaScript into the page the user views. The injected script runs inside the victim’s browser session, allowing the attacker to steal cookies, hijack the user’s session, or perform other malicious actions on the website without the need for credentials.

The vulnerability exists in all releases of the WP to LinkedIn Auto Publish plugin up to and including version 1.9.8. Any WordPress site that has installed this plugin and has not upgraded beyond 1.9.8 is potentially impacted. No specific WordPress core versions are cited as affected; the issue resides solely within the plugin code.

With a CVSS score of 6.1, the risk is moderate. The EPSS score of less than 1% indicates that the probability of active exploitation is low at present, and the vulnerability is not currently listed in the CISA KEV catalog. Because exploitation requires the victim to interact with a malicious link, the attack vector is user‑initiated; an attacker would need to compel the user to click, for example, through phishing or social engineering. Nevertheless, the potential impact on user sessions warrants timely remediation.