CVE-2025-0804
📋 TL;DR
This stored XSS vulnerability in the ClickWhale WordPress plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts into link titles. These scripts execute whenever users view pages containing the compromised links, potentially affecting all visitors to vulnerable WordPress sites.
💻 Affected Systems
- ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages WordPress plugin
📦 What is this software?
Clickwhale by Flowdee
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies or redirect visitors to phishing pages.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented entirely.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has Contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.2
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3219341/clickwhale/tags/2.4.2/includes/admin/links/Clickwhale_Links_List_Table.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ClickWhale plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.4.2 from WordPress repository and manually replace plugin files.
🔧 Temporary Workarounds
Remove Contributor Role Access
allTemporarily restrict plugin access to only Administrators and Editors until patching.
Disable Plugin
linuxDeactivate ClickWhale plugin if not essential for site functionality.
wp plugin deactivate clickwhale
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in link titles
- Regularly audit user accounts and remove unnecessary Contributor roles
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ClickWhale version. If version is 2.4.1 or lower, the system is vulnerable.Check Version:
wp plugin get clickwhale --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.4.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual link title modifications by Contributor users
- Multiple failed login attempts followed by successful Contributor login
Network Indicators:
- Unexpected script tags in link title parameters
- External JavaScript loading from link titles
SIEM Query:
source="wordpress.log" AND ("clickwhale" OR "link title") AND ("script" OR "javascript:" OR "onerror=" OR "onload=")