The Link View WordPress plugin contains an improper neutralization of input during web page generation. When malicious data is stored via the plugin, it is later rendered unsanitized in the browser, enabling a stored XSS flaw. Attackers can inject scripts that execute each time a page incorporating the plugin is viewed, potentially allowing credential theft, session hijacking, defacement, or other client‑side abuses.

All installations of the mibuthu Link View plugin version 0.8.0 or earlier, including older releases with no version marker, are affected. The vulnerability applies to any WordPress site that has the plugin active and allows content to be stored through it.

The vulnerability has a CVSS score of 5.9, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation. The issue is not listed in CISA’s KEV catalog. While the attack vector is not explicitly stated in the CVE data, it is inferred that the exploitation requires an attacker’s ability to submit malicious data through the plugin, either via an authenticated user interface or a publicly accessible submission form. Once injected, the payload will execute in the browsers of any visitor viewing the affected page.