Skip to main content

Internal Links Manager EUVDEUVD-2026-41345

| CVE-2026-57345 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-9hgh-wp39-cw79
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS requiring victim interaction (UI:R) with scope change (S:C) into the site context, yielding limited C/I/A via script execution in the victim's browser.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:14 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Internal Links Manager <= 3.0.3 versions.

AnalysisAI

Cross-Site Scripting in the Internal Links Manager WordPress plugin (versions 3.0.3 and earlier, by webraketen) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script escapes the vulnerable component's boundary and can act against other WordPress users, including administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft link with XSS payload
Delivery
Deliver via phishing to WordPress user
Exploit
Victim opens crafted page
Execution
Unsanitized input rendered in browser
Persist
Script executes in victim session (scope change)
Impact
Hijack session or act as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) and no special plugin configuration, but it is gated by user interaction (UI:R): a victim must be induced to click a crafted link or load an attacker-influenced page served by the vulnerable Internal Links Manager rendering path on a site running version 3.0.3 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, and no privileges required (PR:N, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or content payload containing malicious JavaScript targeting the vulnerable Internal Links Manager rendering path and lures a victim - ideally a logged-in WordPress administrator - into visiting it. When the page renders the unsanitized input, the script executes in the victim's browser session (scope-changed), enabling session cookie theft, CSRF-token abuse, or backend actions performed as the administrator. …
Remediation No vendor-released patch version is identified in the available data; because versions up to and including 3.0.3 are affected, upgrade to the next release above 3.0.3 once the vendor publishes it and confirm the fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/seo-automated-link-building/vulnerability/wordpress-internal-links-manager-plugin-3-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve) rather than assuming a version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Internal Links Manager plugin version 3.0.3 or earlier and disable the plugin immediately if not operationally critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy