Attack Vectors
Link Hopper (slug: link-hopper) has a Medium severity vulnerability (CVSS 4.4) identified as CVE-2025-15483. The issue is a Stored Cross-Site Scripting (XSS) weakness that can be triggered through the “hop_name” parameter in Link Hopper versions 2.5 and below.
The attack requires an authenticated user with administrator-level access (or higher). In practical terms, this means the highest-risk scenarios are those involving compromised admin accounts, insider misuse, or poor access governance (shared admin credentials, overly broad privileges, weak MFA adoption).
This vulnerability only affects WordPress environments where unfiltered_html is disabled and specifically multisite installations. If your organization operates multiple sites from a single WordPress multisite instance, the business impact can extend beyond a single brand or property.
Security Weakness
CVE-2025-15483 exists because Link Hopper does not sufficiently sanitize input and escape output for the “hop_name” value. As a result, an attacker with administrator privileges can store unwanted scripts inside WordPress content or plugin-managed pages.
Because this is stored XSS, the harmful content can persist and execute every time someone loads the affected page. That “repeatable execution” is what often turns a plugin issue into an ongoing business-risk problem—especially when multiple internal teams (marketing, content, compliance) regularly access the admin area.
Technical or Business Impacts
For executives and business owners, the key question is not whether this is “technical,” but what it can do to revenue, brand, and operational continuity. A stored XSS issue in a marketing website can lead to unauthorized changes to site content, injected pop-ups or redirects, and visitor trust erosion—all of which can directly affect conversion rates and campaign performance.
On the operational side, if a malicious script runs when staff view an affected page, it can create downstream risks such as exposure of sensitive information visible in the browser and workflow disruption (teams pausing campaigns, taking sites offline, or spending time on incident response rather than growth initiatives). In regulated environments, this can also create compliance and audit concerns if the incident affects user data handling or site integrity expectations.
Risk note: There is currently no known patch available for Link Hopper related to this issue. Organizations should weigh mitigations based on risk tolerance, and it may be appropriate to uninstall the plugin and replace it if the affected conditions (multisite and/or unfiltered_html disabled) apply.
Similar Attacks
Stored and reflected XSS vulnerabilities have been widely used in real-world website compromises, including large-scale plugin exploitation and campaigns designed to inject spam, redirects, or malicious scripts into legitimate sites. For context, here are a few well-documented examples:
Wordfence coverage of mass WordPress compromise campaigns involving vulnerable plugins
Cloudflare overview of Cross-Site Scripting (XSS) and its real-world impact
MDN Web Docs: Cross-site scripting (XSS) attack category and outcomes
Recent Comments