Impact
The vulnerability is an unauthenticated cross‑site scripting flaw in the WordPress Internal Links Manager plugin versions 3.0.3 and earlier. By injecting malicious script payloads into user‑controlled input, an attacker can execute arbitrary code in the browsers of visitors who load a page managed by the plugin. This can lead to data theft, session hijacking, or defacement of the site. The weakness manifests as improper validation of user input, listed as CWE‑79.
Affected Systems
The affected system is any WordPress site running the Webraketen Internal Links Manager plugin at version 3.0.3 or older. The plugin version 3.0.4 and later contain the fix, so sites with that version are not impacted.
Risk and Exploitability
With a CVSS score of 7.1 the vulnerability is considered high severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. Because the flaw is unauthenticated, an attacker only needs to lure a victim to a crafted URL or target a public page that incorporates the plugin’s output. Once the script runs in the victim’s browser, the attacker can perform any action the user is authorized to do on the site. The lack of an authentication requirement lowers the barrier to exploitation, making the risk significant for sites that expose the plugin on the front end.
OpenCVE Enrichment