CVE-2025-12629 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Broken Link Manager WordPress plugin versions up to 0.6.5. The vulnerability stems from the plugin’s failure to properly sanitize and escape a parameter before outputting it back to the webpage, allowing an attacker to inject malicious JavaScript code. This type of XSS is reflected, meaning the malicious script is embedded in a crafted URL or request and immediately reflected in the server’s response. When a high-privilege user such as an administrator clicks on this crafted link, the malicious script executes in their browser context. The CVSS v3.1 base score of 7.1 reflects a high severity due to the network attack vector (no privileges required), low attack complexity, but requiring user interaction. The vulnerability impacts confidentiality by potentially exposing session tokens or sensitive data, integrity by enabling unauthorized actions or configuration changes, and availability by possibly triggering disruptive scripts. The scope is changed (S:C) because the vulnerability affects components beyond the vulnerable plugin, potentially impacting the entire WordPress site. Although no public exploits are currently known, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with administrative users. The lack of a patch at the time of reporting increases the urgency for mitigation. The vulnerability is categorized under CWE-79, a common and well-understood web application security weakness.

The impact of CVE-2025-12629 is significant for organizations running WordPress sites with the Broken Link Manager plugin installed. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of admin users, enabling session hijacking, theft of credentials, unauthorized administrative actions, and potential site defacement or malware injection. This compromises the confidentiality, integrity, and availability of the affected web application and potentially the broader network if administrative credentials are stolen. Organizations relying on WordPress for critical business functions or e-commerce are at heightened risk of data breaches, reputational damage, and operational disruption. The vulnerability’s exploitation requires user interaction but no authentication, making it accessible to remote attackers via phishing or social engineering. The absence of known public exploits currently limits immediate widespread attacks, but the vulnerability’s presence in a popular CMS plugin makes it a likely target for future exploitation. The scope change indicates that the vulnerability could affect other components or plugins interacting with Broken Link Manager, amplifying the risk.

To mitigate CVE-2025-12629, organizations should: 1) Monitor for and apply security patches or updates from the Broken Link Manager plugin developers as soon as they become available. 2) In the absence of an official patch, implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the vulnerable parameter. 3) Restrict administrative access to trusted networks and use multi-factor authentication (MFA) to reduce the risk of compromised credentials. 4) Educate administrators and users about the risks of clicking on unsolicited or suspicious links to prevent social engineering exploitation. 5) Conduct regular security audits and vulnerability scans on WordPress installations to identify vulnerable plugins. 6) Consider temporarily disabling or removing the Broken Link Manager plugin if it is not essential, until a patch is available. 7) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 8) Monitor logs for unusual activity or access patterns that may indicate attempted exploitation.