Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Clinked Clinked Client Portal clinked-client-portal allows Reflected XSS.This issue affects Clinked Client Portal: from n/a through <= 1.10.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Clinked Client Portal, a WordPress plugin, contains a reflected cross‑site scripting flaw where user input is not properly escaped before being reflected in a page. This allows execution of arbitrary JavaScript in the victim browser when a crafted URL or input is processed by the plugin, potentially leading to defacement, phishing, or other malicious actions performed in the context of the site. Based on the description, it is inferred that an attacker could inject JavaScript to deface the site, carry out phishing, or perform other malicious actions within the site's context.

Affected Systems

The vulnerability is present in the Clinked Client Portal plugin for WordPress in all releases up to and including 1.10. Any WordPress installation that uses the Clinked Client Portal plugin and has not upgraded beyond version 1.10 is impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The EPSS score is less than 1%, suggesting a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalogue. Based on the description, it is inferred that the likely exploitation would involve a remote attacker delivering a malicious link that triggers the plugin to echo unsanitized input to the browser context.

Generated by OpenCVE AI on May 2, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Clinked Client Portal to the latest available revision that addresses the XSS flaw.
  • If an update is not possible, restrict public access to the plugin’s interface or enforce admin‑only usage to reduce exposure.
  • Enforce strict input sanitization on any data reflected by the plugin and consider a content‑security policy that blocks inline scripts.

Generated by OpenCVE AI on May 2, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11706 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Clinked Clinked Client Portal allows Reflected XSS. This issue affects Clinked Client Portal: from n/a through 1.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Clinked Clinked Client Portal allows Reflected XSS. This issue affects Clinked Client Portal: from n/a through 1.10. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Clinked Clinked Client Portal clinked-client-portal allows Reflected XSS.This issue affects Clinked Client Portal: from n/a through <= 1.10.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Clinked Clinked Client Portal allows Reflected XSS. This issue affects Clinked Client Portal: from n/a through 1.10.
Title WordPress Clinked Client Portal Plugin <= 1.10 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.649Z

Reserved: 2025-04-09T11:20:35.409Z

Link: CVE-2025-32615

cve-icon Vulnrichment

Updated: 2025-04-17T18:07:47.541Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:46.923

Modified: 2026-04-23T15:29:12.940

Link: CVE-2025-32615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:15:31Z

Weaknesses