CVE-2025-12629 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Broken Link Manager WordPress plugin versions up to 0.6.5. The vulnerability stems from the plugin's failure to sanitize and escape a parameter before reflecting it back in the page output, allowing attackers to inject malicious JavaScript code. This type of XSS is classified under CWE-79, which involves improper neutralization of input leading to script execution in the victim’s browser. The attack vector is remote network access (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability at a low level (C:L, I:L, A:L), resulting in a CVSS v3.1 base score of 7.1, categorized as high severity. The vulnerability primarily threatens high-privilege users such as administrators, as successful exploitation can lead to session hijacking, theft of credentials, or unauthorized actions on the WordPress site. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The Broken Link Manager plugin is used to manage and monitor broken links on WordPress sites, and its compromise could undermine website integrity and user trust. The reflected XSS requires the victim to click a crafted URL or visit a malicious page, which then executes the injected script in their browser context. This can lead to cookie theft, redirection to malicious sites, or execution of administrative actions if the victim is an admin user.

For European organizations, this vulnerability poses a significant risk to WordPress-based websites that use the Broken Link Manager plugin. Successful exploitation can lead to unauthorized access to administrative accounts, enabling attackers to manipulate website content, inject malicious code, or steal sensitive information. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Given the widespread use of WordPress across Europe, especially in sectors like e-commerce, media, and government, the vulnerability could be leveraged to target high-value sites. The reflected XSS nature means phishing campaigns could be used to trick administrators into clicking malicious links, increasing the attack surface. Additionally, compromised sites could be used to distribute malware or conduct further attacks against visitors. The impact on confidentiality, integrity, and availability, although rated low individually, combined with the high likelihood of exploitation and the critical role of affected users, elevates the overall threat to a high level. Organizations failing to address this vulnerability risk regulatory penalties under GDPR if personal data is compromised.

Immediate mitigation should focus on monitoring for updates from the Broken Link Manager plugin developers and applying patches as soon as they are released. Until a patch is available, organizations should implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns that attempt to inject scripts via URL parameters. Administrators should restrict access to the WordPress admin interface by IP whitelisting or VPN access to reduce exposure. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Educate administrators and users about the risks of clicking untrusted links, especially those purporting to be related to site management. Regularly audit installed plugins and remove or replace those that are outdated or unsupported. Enable multi-factor authentication (MFA) for WordPress admin accounts to reduce the impact of credential theft. Finally, implement logging and alerting to detect unusual administrative activities that could indicate exploitation attempts.