Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in makong Internal Links Generator internal-links-generator allows Reflected XSS.This issue affects Internal Links Generator: from n/a through <= 3.51.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Internal Links Generator plugin contains an improper neutralization of input when generating web pages, allowing a reflected cross‑site scripting weakness. An attacker can supply crafted input that is echoed back in the page output without adequate sanitization, which enables the insertion of arbitrary JavaScript. This could lead to defacement, session hijacking, or malicious redirects for any visitor who loads the affected page.

Affected Systems

The vulnerability affects the WordPress plugin Internal Links Generator made by makong. Versions up to and including 3.51 are impacted, while newer releases are not affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity level. The EPSS score of less than 1% suggests that, at present, the likelihood of exploitation in the wild is low, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is exploitation via a reflected XSS payload supplied through user input or a crafted URL that the plugin renders unfiltered. Inference: an attacker could craft a link that, when clicked by a victim, executes malicious JavaScript within the victim’s browser session.

Generated by OpenCVE AI on May 1, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Internal Links Generator plugin to a version that includes the XSS fix (v3.52 or later).
  • If an upgrade cannot be performed immediately, disable or remove the plugin from the site to eliminate the vulnerable functionality.
  • Add output‑encoding or sanitization to all user inputs that interact with the plugin, ensuring that any dynamically injected content is properly encoded before rendering.

Generated by OpenCVE AI on May 1, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3255 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Internal Links Generator allows Reflected XSS. This issue affects Internal Links Generator: from n/a through 3.51.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Internal Links Generator allows Reflected XSS. This issue affects Internal Links Generator: from n/a through 3.51. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in makong Internal Links Generator internal-links-generator allows Reflected XSS.This issue affects Internal Links Generator: from n/a through <= 3.51.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Internal Links Generator allows Reflected XSS. This issue affects Internal Links Generator: from n/a through 3.51.
Title WordPress Internal Links Generator plugin <= 3.51 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:13.592Z

Reserved: 2025-01-16T11:26:20.969Z

Link: CVE-2025-23571

cve-icon Vulnrichment

Updated: 2025-02-14T15:36:10.344Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:44.330

Modified: 2026-06-17T08:55:27.633

Link: CVE-2025-23571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')