The Link Whisper Free plugin performs insufficient input sanitization when generating HTML, allowing malicious script payloads to be reflected back to the browser. An attacker can embed such payloads in user‑controlled fields, such as link URLs or titles, that are read and displayed by the plugin. When a visitor loads the page containing the reflected content, the injected script runs in their browser and can steal credentials, hijack sessions, deface content, or carry out other client‑side attacks without needing elevated server privileges.

The vulnerability is present in all releases of the Link Whisper Free plugin provided by Spencer Haws up to version 0.9.2. No other product versions are known to be affected at the time of this analysis.

The base CVSS score of 7.1 indicates moderate to high severity and client‑side impact. An EPSS score of less than 1% shows that publicly documented exploitation attempts are exceedingly rare. The weakness is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is external: an attacker must supply crafted input, typically via URLs or form submissions, that is subsequently reflected in the page. No public exploit code is known, but the reflected nature of the XSS makes it simple for an attacker who can persuade a victim to click a malicious link.