CVE-2025-15483 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Link Hopper plugin for WordPress, affecting all versions up to and including 2.5. The root cause is insufficient sanitization and output escaping of the 'hop_name' parameter, which is used during web page generation. This flaw allows authenticated users with administrator-level privileges to inject arbitrary JavaScript code into pages within multisite WordPress installations where the 'unfiltered_html' capability is disabled. When other users access these injected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is scoped to multisite configurations, limiting its reach to specific WordPress deployments. The CVSS 3.1 base score is 4.4, reflecting a medium severity due to the requirement for high privileges (administrator access), network attack vector, and no user interaction needed. The vulnerability impacts confidentiality and integrity but does not affect availability. No public exploits have been reported so far, and no official patches are linked yet, indicating the need for cautious monitoring and interim mitigations.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress multisite environments. An attacker with administrator privileges can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, performing actions on behalf of users, or defacing content. This can lead to unauthorized access, data leakage, or further compromise of the WordPress installation. Since the vulnerability requires administrator-level access, the risk is somewhat mitigated by the need for prior compromise or insider threat. However, multisite WordPress installations are often used by organizations managing multiple sites, increasing the potential attack surface and impact scope. The lack of availability impact reduces the risk of denial-of-service conditions. Organizations relying on multisite WordPress setups with the Link Hopper plugin are at risk of targeted attacks, especially if they have sensitive user data or high-value content.

1. Immediately audit multisite WordPress installations to identify usage of the Link Hopper plugin, especially versions up to 2.5. 2. Restrict administrator access strictly and review user privileges to minimize the risk of insider threats or compromised admin accounts. 3. Until an official patch is released, consider disabling or uninstalling the Link Hopper plugin in multisite environments where possible. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'hop_name' parameter. 5. Enable Content Security Policy (CSP) headers to reduce the impact of injected scripts by restricting script execution sources. 6. Monitor logs for unusual administrator activity or unexpected changes to plugin parameters. 7. Educate administrators on the risks of XSS and the importance of secure input handling. 8. Once available, promptly apply vendor patches or updates addressing this vulnerability. 9. Consider deploying security plugins that sanitize inputs and outputs to add an additional layer of defense.