Improper neutralization of user‑controlled input in the WordPress EZ InLinkz linkup plugin (CWE‑79) enables a DOM‑based Cross‑Site Scripting attack. When a malicious input is processed by the plugin, arbitrary JavaScript can run in the context of the affected site, potentially leading to session hijacking, defacement, or credential theft. The vulnerability is limited to the client side and does not grant the attacker direct access to the server, but any user who visits a crafted page can be impacted. Based on the description, it is inferred that the flaw is client‑side only and requires user interaction to trigger exploitation.

The issue affects the inlinkz: EZ InLinkz linkup plugin for WordPress versions up to and including 0.18. Users who have installed any of these versions need to check and apply a fix.

The CVSS score of 6.5 indicates medium severity, and the EPSS score is below 1%, suggesting that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog, so there is no known exploitation in the wild. However, because the flaw requires user interaction to run malicious code in a browser, administrators should treat it as a moderate risk to any users who may view compromised pages and should move quickly to mitigate. Based on the description, it is inferred that the vulnerability is client‑side only and needs a victim to visit a malicious page for exploitation.