Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maarten Links shortcode links-shortcode allows Stored XSS.This issue affects Links shortcode: from n/a through <= 1.8.3.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Links shortcode plugin includes improper input neutralization in a stored data context, enabling a Stored XSS attack. When the plugin stores user‑supplied input in a post or page, the resulting script can execute in any browser that views the content, allowing attackers to hijack user sessions, deface pages, or perform phishing. This vulnerability is identified as CWE‑79 and carries a CVSS score of 6.5.

Affected Systems

WordPress websites using the Maarten Links shortcode plugin version 1.8.3 or earlier are impacted. The issue spans all releases from the first available version through 1.8.3. The plugin is listed under the vendor Maarten and is identified by the short name links‑shortcode.

Risk and Exploitability

The CVSS base score of 6.5 signifies a moderate risk, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation campaigns. Attackers would need write access to content that uses the shortcode to inject malicious payloads, after which any visitor to that content could be exposed to the stored script.

Generated by OpenCVE AI on April 29, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Maarten Links shortcode plugin to the latest version (1.8.4 or newer).
  • If an upgrade is not feasible, remove the plugin or disable all use of its shortcode feature until a patch is applied.
  • Audit existing posts, pages, and comments for unexpected scripts or altered shortcode output and cleanse any suspicious content.

Generated by OpenCVE AI on April 29, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Maarten
Maarten links Shortcode
Wordpress
Wordpress wordpress
Vendors & Products Maarten
Maarten links Shortcode
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maarten Links shortcode links-shortcode allows Stored XSS.This issue affects Links shortcode: from n/a through <= 1.8.3.
Title WordPress Links shortcode plugin <= 1.8.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Maarten Links Shortcode
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:04.996Z

Reserved: 2025-10-24T14:24:16.561Z

Link: CVE-2025-62898

cve-icon Vulnrichment

Updated: 2025-10-27T15:20:42.241Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:48.937

Modified: 2026-04-27T18:16:28.413

Link: CVE-2025-62898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses