CVE-2025-15483
Stored XSS in Link Hopper WordPress Plugin Allows Admin Script Injection
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| link_hopper | link_hopper | to 2.5 (inc) |
| link_hopper | link_hopper | 1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Link Hopper plugin to a version later than 2.5 where the vulnerability is fixed, if such an update is available.
If an update is not available, restrict administrator-level access to trusted users only, since exploitation requires authenticated administrator privileges.
Additionally, ensure that the WordPress installation is configured securely, including enabling unfiltered_html if possible, or otherwise limiting the ability to inject scripts.
As a temporary workaround, consider disabling or removing the Link Hopper plugin until a patch is applied.
Can you explain this vulnerability to me?
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'hop_name' parameter in all versions up to and including 2.5. This vulnerability arises because the plugin does not sufficiently sanitize input or escape output for this parameter.
An authenticated attacker with administrator-level access can exploit this flaw to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the injected page.
This vulnerability specifically affects multi-site WordPress installations and installations where the 'unfiltered_html' capability has been disabled.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator privileges to inject malicious scripts that execute in the context of users visiting the affected pages.
- Execution of arbitrary JavaScript code in users' browsers.
- Potential theft of user credentials or session tokens.
- Manipulation of website content or behavior.
- Compromise of user data confidentiality and integrity.
Because the vulnerability requires administrator-level access and affects multi-site or restricted HTML installations, the risk is somewhat limited but still significant in those environments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Link Hopper plugin is installed on a WordPress multi-site installation or on a site where unfiltered_html is disabled, and if the plugin version is up to and including 2.5.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP requests for URLs matching the pattern used by the plugin, typically something like '/hop/XXXXXX'. Since the plugin redirects these requests, suspicious or unexpected requests to such URLs could indicate attempts to exploit the vulnerability."}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity include using web server logs or network traffic analysis tools to search for requests matching the hop URL pattern. For example, on a Linux server, you can use the following command to search your web server access logs for requests to the hop URLs:'}, {'type': 'list_item', 'content': 'grep "/hop/" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': 'grep "/hop/" /var/log/nginx/access.log'}, {'type': 'paragraph', 'content': 'Additionally, you can use curl or similar tools to test if the plugin is present and vulnerable by sending requests to known hop URLs and observing the response behavior.'}] [1]