A stored cross‑site scripting vulnerability exists in the mibuthu Link View plugin up to version 0.8.0. The plugin fails to neutralize user‑supplied input that is later rendered in the web page, allowing an attacker to inject arbitrary JavaScript that executes in the browsers of any user visiting the affected pages. This can lead to session hijacking, credential theft, defacement or the execution of malware on the client side. The weakness is a classic input‑validation flaw, identified as CWE‑79.

All WordPress installations that have the mibuthu Link View plugin installed at or below version 0.8.0 are affected. The vulnerability is described as working for all releases from the initial version through 0.8.0, meaning any site that has not yet applied the latest plugin update is potentially vulnerable. No specific operating systems or runtime environments are listed as restrictions, so the flaw is likely present on any typical WordPress host that supports the plugin.

The CVSS score of 6.5 indicates moderate severity, but the EPSS score of less than 1 % shows a very low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, which further points to a lower risk stance. The likely attack path involves an attacker creating or editing a link entry via the plugin’s administrative interface or a form that stores the data for later display. Once the malicious payload is stored, any site visitor who views the page containing the infected link will have the script executed. The indirect exploitation requires administrative access to the plugin or the ability to submit content that is stored and displayed, but the impact on all users who see the page can be significant if the payload succeeds.