CVE-2026-22357
Reflected XSS in Link Whisper Free β€ 0.9.0 Allows Code Injection
Publication date: 2026-02-20
Last updated on: 2026-04-01
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spencer_haws | link_whisper_free | to 0.9.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22357 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress Link Whisper Free Plugin versions up to and including 0.9.0.
This vulnerability allows an attacker to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto a website, which execute when visitors access the site.
Exploitation requires user interaction by a privileged user performing actions like clicking a malicious link, visiting a crafted page, or submitting a form, although no authentication is required to initiate the attack.
The vulnerability falls under the OWASP Top 10 category A3: Injection and is classified specifically as Cross Site Scripting (XSS).
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious scripts into your website, which can execute when visitors access the site.
- Attackers can perform redirects to malicious sites.
- Attackers can display unwanted advertisements.
- Attackers can inject other harmful HTML payloads.
Such actions can compromise the security and integrity of your website and potentially harm your users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected Cross Site Scripting (XSS) issue in the WordPress Link Whisper Free Plugin up to version 0.9.0. Detection typically involves monitoring for suspicious HTTP requests that include malicious script payloads or unusual URL parameters that could trigger the XSS.
While no specific commands are provided in the available resources, common detection methods include using web application firewalls (WAFs) with rules targeting XSS payloads, or employing security scanners that test for reflected XSS by sending crafted requests and analyzing responses.
Administrators can also review web server logs for unusual query strings or payloads that contain script tags or JavaScript code, which may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the Patchstack mitigation rule designed to block attacks exploiting this XSS vulnerability.
Users are advised to implement this mitigation rule as soon as possible to protect their websites from malicious script injections.
Additionally, it is recommended to monitor and restrict user inputs and interactions that could trigger the vulnerability, and to keep an eye on updates from the plugin developer for an official patch.