CVE-2026-57345
Deferred Deferred - Pending Action

Unauthenticated XSS in Internal Links Manager

Vulnerability report for CVE-2026-57345, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Unauthenticated Cross Site Scripting (XSS) in Internal Links Manager <= 3.0.3 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack internal_links_manager to 3.0.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57345 is a Cross Site Scripting (XSS) vulnerability found in the WordPress Internal Links Manager Plugin versions 3.0.3 and earlier.

This vulnerability allows attackers to inject malicious scripts into websites using the plugin. When visitors access the affected site, these scripts can be executed, potentially causing harmful actions such as redirects or displaying unwanted content.

The attack requires user interaction, like clicking a malicious link or visiting a specially crafted page.

The vulnerability is classified as medium priority with a CVSS score of 7.1 and falls under the OWASP Top 10 category A3: Injection.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website visitors' browsers.

  • Attackers can redirect visitors to malicious websites.
  • Unwanted or harmful content can be displayed to users.
  • It can affect the integrity and availability of your website.

Since the exploit requires user interaction, users might be tricked into clicking malicious links or visiting crafted pages that trigger the attack.

Detection Guidance

The vulnerability is a Cross Site Scripting (XSS) issue in the WordPress Internal Links Manager Plugin versions 3.0.3 and earlier. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed.

While no specific commands are provided in the resources, common detection methods include scanning the website for the plugin version and monitoring HTTP requests for suspicious script injections or unusual redirects.

For example, you can check the plugin version by accessing the WordPress plugin directory or using WP-CLI commands such as: wp plugin list | grep internal-links-manager

Additionally, monitoring web server logs or using web application firewalls (WAF) with rules to detect XSS payloads can help identify exploitation attempts.

Mitigation Strategies

The immediate recommended step is to update the WordPress Internal Links Manager Plugin to version 3.0.4 or later, where the vulnerability has been patched.

If updating immediately is not possible, applying the mitigation rule issued by Patchstack to block attacks targeting this vulnerability is advised.

Users can also seek assistance from their hosting provider or developer to implement temporary protections until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57345. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart