CVE-2025-0804 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages WordPress plugin developed by flowdee. This vulnerability exists in all versions up to and including 2.4.1 due to improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape user-supplied input in link titles, allowing authenticated users with Contributor-level or higher privileges to inject arbitrary JavaScript code. When other users access pages containing these maliciously crafted link titles, the injected scripts execute in their browsers. This can lead to various attacks such as session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim user. The vulnerability is exploitable remotely over the network without user interaction beyond visiting the compromised page. The CVSS v3.1 base score of 6.4 reflects a medium severity, with attack vector being network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change due to impact on other users. No official patches or updates are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling user-generated content and affiliate marketing links.

The impact of CVE-2025-0804 is significant for organizations using the ClickWhale plugin, particularly those with multiple contributors or public-facing affiliate marketing sites. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts that execute in the browsers of any user viewing the affected pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts. It may also facilitate defacement, phishing, or redirection to malicious sites, undermining user trust and damaging brand reputation. Since the vulnerability affects the integrity and confidentiality of user sessions and data, it poses a moderate risk to organizational security. The requirement for authenticated access limits exposure but does not eliminate risk, as Contributor-level accounts are common in collaborative WordPress environments. The absence of known exploits reduces immediate threat but does not preclude future attacks. Organizations relying on affiliate marketing and link tracking are particularly vulnerable due to the plugin’s role in managing external links, which could be manipulated to spread malware or conduct further attacks.

To mitigate CVE-2025-0804, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of official patches, administrators should restrict Contributor-level access to trusted users only, minimizing the risk of malicious input injection. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting link titles can provide an additional layer of defense. Regularly auditing and sanitizing existing link titles in the database to remove suspicious scripts is recommended. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Developers maintaining the plugin should adopt secure coding practices, including proper input validation, context-aware output encoding, and use of WordPress security APIs such as esc_html() and wp_kses(). Monitoring user activity logs for unusual behavior by contributors can help detect attempted exploitation. Finally, educating contributors about safe content creation and the risks of XSS can reduce inadvertent introduction of malicious code.