Description
The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Published: 2025-11-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The Broken Link Manager WordPress plugin up to version 0.6.5 fails to sanitize and escape a query parameter before rendering it on the page, creating a reflected cross‑site scripting vulnerability. An attacker can embed arbitrary JavaScript in the vulnerable parameter and cause it to execute in the browser of any user who views the crafted URL. Because the target user may be a site administrator, the flaw can be used to hijack an admin session, steal privileged data, or perform other malicious actions within that user’s authority.

Affected Systems

WordPress sites that use the Broken Link Manager plugin version 0.6.5 or earlier are affected. The issue applies to any installation of the plugin that has not been upgraded beyond this release.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity for this reflected XSS. The EPSS score of less than 1 percent suggests the vulnerability is currently unlikely to be widely exploited, and it is not listed in the CISA KEV catalog. Exploitation requires an attacker to craft a malicious link that includes the unsanitized parameter and entice a high‑privilege user, such as an administrator, to visit it. If the user’s session is compromised, the attacker can gain temporary high‑level access to the site. The attack surface is limited to users who click the crafted URL, but the potential impact for privileged accounts is significant.

Generated by OpenCVE AI on April 28, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of the Broken Link Manager plugin, which sanitizes the vulnerable parameter, or uninstall the plugin entirely if no update is available.
  • If an upgrade cannot be performed immediately, restrict the plugin’s output by applying a strict content‑security‑policy that blocks inline scripts on the site.
  • Add a WordPress filter or use a security plugin that validates and escapes all user‑controlled query parameters before rendering them, thereby preventing the injection of malicious script.

Generated by OpenCVE AI on April 28, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 25 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared K-78
K-78 broken Link Manager
Wordpress
Wordpress wordpress
Vendors & Products K-78
K-78 broken Link Manager
Wordpress
Wordpress wordpress

Mon, 24 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 06:15:00 +0000

Type Values Removed Values Added
Description The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Title Broken Link Manager <= 0.6.5 - Reflected XSS
References

Subscriptions

K-78 Broken Link Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:52.225Z

Reserved: 2025-11-03T10:33:43.580Z

Link: CVE-2025-12629

cve-icon Vulnrichment

Updated: 2025-11-24T10:52:30.457Z

cve-icon NVD

Status : Deferred

Published: 2025-11-24T06:15:46.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses