CVE-2025-0809
Published: 31 January 2025
Description
The Link Fixer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via broken links in all versions up to, and including, 3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Security Summary
CVE-2025-0809 is a stored cross-site scripting (XSS) vulnerability in the Link Fixer plugin for WordPress, affecting all versions up to and including 3.4. The issue arises from insufficient input sanitization and output escaping when handling broken links, enabling the injection of arbitrary web scripts into pages. Published on 2025-01-31, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is classified under CWE-79.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By injecting malicious scripts via broken links, attackers can store XSS payloads in pages that execute whenever any user, including administrators, accesses those pages, potentially compromising session data or performing actions on behalf of victims.
Mitigation details are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/37198f2f-2b45-40d3-b4ae-aa94213996bd?source=cve and the plugin's WordPress page at https://wordpress.org/plugins/permalink-finder/. WordPress site administrators should update the Link Fixer plugin to a version beyond 3.4 to address the vulnerability.
Details
- CWE(s)