Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network XSS requiring victim interaction (UI:R) with scope change (S:C) into the site context, yielding limited C/I/A via script execution in the victim's browser.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Internal Links Manager <= 3.0.3 versions.
AnalysisAI
Cross-Site Scripting in the Internal Links Manager WordPress plugin (versions 3.0.3 and earlier, by webraketen) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script escapes the vulnerable component's boundary and can act against other WordPress users, including administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires no authentication (PR:N) and no special plugin configuration, but it is gated by user interaction (UI:R): a victim must be induced to click a crafted link or load an attacker-influenced page served by the vulnerable Internal Links Manager rendering path on a site running version 3.0.3 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, and no privileges required (PR:N, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or content payload containing malicious JavaScript targeting the vulnerable Internal Links Manager rendering path and lures a victim - ideally a logged-in WordPress administrator - into visiting it. When the page renders the unsanitized input, the script executes in the victim's browser session (scope-changed), enabling session cookie theft, CSRF-token abuse, or backend actions performed as the administrator. … |
| Remediation | No vendor-released patch version is identified in the available data; because versions up to and including 3.0.3 are affected, upgrade to the next release above 3.0.3 once the vendor publishes it and confirm the fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/seo-automated-link-building/vulnerability/wordpress-internal-links-manager-plugin-3-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve) rather than assuming a version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using Internal Links Manager plugin version 3.0.3 or earlier and disable the plugin immediately if not operationally critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41345
GHSA-9hgh-wp39-cw79