CVE-2025-6385: 
WordPress vulnerability analysis and mitigation

The WP Applink plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6385) that affects all versions up to and including 0.4.1. The vulnerability was discovered and reported by Wordfence, with the initial disclosure date of July 24, 2025. The plugin has been temporarily closed for download since July 22, 2025, pending a full security review (NVD, WordPress).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue that exists in the 'title' parameter due to insufficient input sanitization and output escaping. The severity is rated as MEDIUM with a CVSS v3.1 base score of 6.4 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized access to user data or manipulation of website content (NVD).

The plugin has been temporarily closed and is not available for download as of July 22, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress).