CVE-2025-11262

🗓️ 29 May 2026 06:43:42Reported by WordfenceType

cve🔗 web.nvd.nist.gov👁 17 Views🌐 WEB

Unauthenticated stored cross site scripting in Link Whisper Free up to 0.9.0 via user_id.

Reporter	Title	Published	Views	Family All 12
GithubExploit	Exploit for CVE-2025-11262	9 Jun 202615:56	–	githubexploit
ATTACKERKB	CVE-2025-11262	29 May 202606:43	–	attackerkb
Circl	CVE-2025-11262	29 May 202609:38	–	circl
CNNVD	WordPress plugin Link Whisper Free 跨站脚本漏洞	29 May 202600:00	–	cnnvd
Cvelist	CVE-2025-11262 Link Whisper Free <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting	29 May 202606:43	–	cvelist
EUVD	EUVD-2025-209983	29 May 202606:43	–	euvd
NVD	CVE-2025-11262	29 May 202608:16	–	nvd
Patchstack	WordPress Link Whisper Free plugin <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting vulnerability	29 May 202613:16	–	patchstack
Positive Technologies	PT-2026-44755	29 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2025-11262	5 Jun 202619:41	–	redhatcve

Vulners

Node

linkwhspr link_whisper_freeRange≤0.9.0wordpress

[
  {
    "vendor": "linkwhspr",
    "product": "Link Whisper Free",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "0.9.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/link-whisper/trunk/core/Wpil/Settings.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/ad159b18-0ad1-4cab-932e-6850cf7a867f
wordpress	www.wordpress.org/plugins/link-whisper/

Parameter	Position	Path	Description	CWE
user_id	request body	/wp-json/link-whisper/ai-auth	Stored XSS via unauthenticated POST to AI authentication endpoint that persists attacker-controlled user_id which is later rendered in admin UI	CWE-79

17 Jun 2026 08:29Current

6Medium risk

Vulners AI Score6

CVSS 3.17.2

EPSS0.00233

SSVC