| Plugin Name | Link Hopper |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2025-15483 |
| Urgency | Low |
| CVE Publish Date | 2026-02-13 |
| Source URL | CVE-2025-15483 |
Urgent: Stored XSS in Link Hopper (<= 2.5) — What WordPress Site Owners and Developers Need to Know
Date: 13 February 2026
Author: Hong Kong Security Expert
Summary
A stored authenticated cross-site scripting (XSS) vulnerability (CVE-2025-15483) has been disclosed in the Link Hopper plugin (versions up to and including 2.5). An authenticated administrator can inject HTML/JavaScript into the hop_name field which is later rendered without appropriate escaping. Although exploitation requires administrator privileges, stored XSS running in an administrative context can lead to session theft, creation of backdoors, site defacement, and further compromise.
TL;DR — Immediate actions
- Check if Link Hopper is installed and confirm version. Treat versions ≤ 2.5 as vulnerable.
- If no vendor patch is available, consider disabling or removing the plugin until a secure release is published.
- Limit administrative access: review admin accounts, enforce strong passwords, enable MFA where possible.
- Search the database for hop_name entries containing HTML,
