CVE-2025-11987
📋 TL;DR
The Visual Link Preview WordPress plugin up to version 2.2.7 has a stored XSS vulnerability in its shortcode functionality. Authenticated attackers with contributor-level access or higher can inject malicious scripts that execute when users view compromised pages. This affects WordPress sites using vulnerable plugin versions.
💻 Affected Systems
- WordPress Visual Link Preview plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.
Likely Case
Malicious contributors inject tracking scripts, ads, or cryptocurrency miners that affect site visitors.
If Mitigated
With proper user access controls and content review, impact is limited to potential data leakage from visitors.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3388877/visual-link-preview/trunk/templates/link/simple/simple.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Visual Link Preview
4. Click 'Update Now' if available
5. If no update appears, manually download latest version from WordPress repository
6. Deactivate and delete old version
7. Upload and activate new version
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate visual-link-preview
Restrict User Roles
allRemove contributor-level posting permissions from untrusted users
🧯 If You Can't Patch
- Implement strict content review process for all posts by contributors
- Add web application firewall rules to block XSS payloads in shortcode attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Visual Link Preview → Version. If version is 2.2.7 or lower, you are vulnerable.Check Version:
wp plugin get visual-link-preview --field=versionVerify Fix Applied:
After update, verify version is 2.2.8 or higher in plugin details.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode usage in posts
- Multiple post edits by contributor accounts
- Script tags in post content
Network Indicators:
- External script loads from post content
- Suspicious outbound connections from page views
SIEM Query:
source="wordpress" AND (event="post_edit" OR event="post_publish") AND user_role="contributor" AND content CONTAINS "[visual-link-preview"🔗 References
- https://plugins.trac.wordpress.org/browser/visual-link-preview/tags/2.2.7/includes/public/class-vlp-link.php#L56
- https://plugins.trac.wordpress.org/browser/visual-link-preview/tags/2.2.7/templates/link/simple/simple.php#L1
- https://plugins.trac.wordpress.org/changeset/3388877/visual-link-preview/trunk/templates/link/simple/simple.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/65ae3119-61d1-4ec0-8ba2-352aae5cc834?source=cve
