Description
Unauthenticated Cross Site Scripting (XSS) in Internal Links Manager <= 3.0.3 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated cross‑site scripting flaw in the WordPress Internal Links Manager plugin versions 3.0.3 and earlier. By injecting malicious script payloads into user‑controlled input, an attacker can execute arbitrary code in the browsers of visitors who load a page managed by the plugin. This can lead to data theft, session hijacking, or defacement of the site. The weakness manifests as improper validation of user input, listed as CWE‑79.

Affected Systems

The affected system is any WordPress site running the Webraketen Internal Links Manager plugin at version 3.0.3 or older. The plugin version 3.0.4 and later contain the fix, so sites with that version are not impacted.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered high severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. Because the flaw is unauthenticated, an attacker only needs to lure a victim to a crafted URL or target a public page that incorporates the plugin’s output. Once the script runs in the victim’s browser, the attacker can perform any action the user is authorized to do on the site. The lack of an authentication requirement lowers the barrier to exploitation, making the risk significant for sites that expose the plugin on the front end.

Generated by OpenCVE AI on July 2, 2026 at 15:20 UTC.

Remediation

Vendor Solution

Update the WordPress Internal Links Manager Plugin to the latest available version (at least 3.0.4).


OpenCVE Recommended Actions

  • Upgrade the Internal Links Manager plugin to version 3.0.4 or later
  • If the plugin cannot be updated immediately, disable or deactivate it on all public pages or remove it entirely to stop the vulnerable code from executing
  • Add a strict Content Security Policy that disallows inline scripts and restricts script sources, mitigating the impact of any remaining XSS vectors that may arise from other plugins.

Generated by OpenCVE AI on July 2, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Internal Links Manager <= 3.0.3 versions.
Title WordPress Internal Links Manager plugin <= 3.0.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:14:00.631Z

Reserved: 2026-06-24T12:45:24.971Z

Link: CVE-2026-57345

cve-icon Vulnrichment

Updated: 2026-07-02T12:13:57.383Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')