Description
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-02-14
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via hop_name for administrators
Action: Patch
AI Analysis

Impact

The Link Hopper plugin for WordPress contains a stored cross‑site scripting flaw that allows authenticated administrators to inject arbitrary scripts through the hop_name parameter. Supplying a malicious value to hop_name records the script into the database; when another site visitor loads that page the script executes in the visitor's browser. The attacker can hijack sessions, steal credentials, or deface the site. The weakness is a classic input validation and output escaping failure, classified as CWE‑79.

Affected Systems

WordPress sites that use the Link Hopper plugin, versions 2.5 and earlier, on multi‑site installations where the unfiltered_html capability has been disabled. Users with administrator privileges on those installations are the only ones who can add or edit hop_name values.

Risk and Exploitability

The flaw carries a CVSS score of 4.4, indicating moderate severity. Its EPSS score is below 1% and it is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. However, because the attack requires an administrator role, the risk is confined to sites with high‑privilege accounts. An attacker would need access to the WordPress admin area, create or edit a hop, and then persuade or trick a victim to visit the crafted page. In the absence of mitigation, the compromised page could compromise all subsequent users who view it.

Generated by OpenCVE AI on April 20, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Link Hopper to the latest version (2.6 or newer) where the hop_name parameter is properly sanitized and escaped
  • If an update is not immediately feasible, remove or disable the Link Hopper plugin from the site to eliminate the attack surface
  • Restrict the unfiltered_html capability for administrators or ensure that any administrators use only trusted content editors for hop_name entries

Generated by OpenCVE AI on April 20, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ajferg
Ajferg link Hopper
Wordpress
Wordpress wordpress
Vendors & Products Ajferg
Ajferg link Hopper
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Link Hopper <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ajferg Link Hopper
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:16.779Z

Reserved: 2026-01-07T20:19:08.267Z

Link: CVE-2025-15483

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:33.631Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:07.067

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:00:12Z

Weaknesses