CVE-2025-2889: 
WordPress vulnerability analysis and mitigation

The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Additional Parameters in versions up to and including 7.7.3. This vulnerability was discovered and disclosed on April 4, 2025. The issue affects WordPress installations with the Link Library plugin installed (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the Link Additional Parameters functionality. The CVSS v3.1 base score is 6.4 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should update their Link Library plugin to a version newer than 7.7.3 when available. Until then, site administrators should carefully monitor and restrict access to users with Contributor-level permissions and above (NVD).