– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-22357:
The Link Whisper Free WordPress plugin, versions up to and including 0.9.0, contains a reflected cross-site scripting (XSS) vulnerability. This flaw exists in the plugin’s AI subscription management interface due to insufficient output escaping. The vulnerability allows unauthenticated attackers to inject arbitrary JavaScript, which executes in the context of a victim’s browser session. The CVSS score of 6.1 reflects a medium-severity impact requiring user interaction for successful exploitation.

Root Cause:
The vulnerability originates in the `link-whisper/core/Wpil/Settings.php` file. Atomic Edge research identified multiple instances where user-controlled variables are directly echoed into HTML output without proper escaping. Specifically, the `$ai_id` variable on line 1222, the `$sub->subscription_id` variable on the same line, and the `$sub->title` variable on line 2096 are all output without using the `esc_attr()` or `esc_html()` WordPress security functions. These variables are populated from user-supplied data processed by the plugin’s REST API endpoint in `Wpil/Rest.php`.

Exploitation:
An attacker can exploit this vulnerability by crafting a malicious link containing JavaScript payloads in the `ai_id` or `subscription_id` parameters. The attack targets the `/wp-admin/admin.php?page=link_whisper_ai_subscription` administrative page. When a logged-in WordPress administrator clicks the malicious link, the payload executes in the context of their session. The payload could steal session cookies, perform actions on behalf of the user, or deface the administrative interface.

Patch Analysis:
The patch in version 0.9.1 adds proper output escaping to all identified vulnerable locations. On line 1222 of `Settings.php`, the patch wraps `$ai_id` and `$sub->subscription_id` with `esc_attr()`. On line 2096, the patch adds a check for `isset($sub->title)` before output and wraps the variable with `esc_html()`. Additional security improvements include adding `esc_url()` to admin URL outputs on lines 644 and 2111, and casting the `$credits` variable to integers before output on lines 644, 1001, 1027, and 2074. The patch also improves input validation in `Wpil/Rest.php` by adding regular expression validation for the `token` and `user_id` parameters.

Impact:
Successful exploitation allows attackers to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking of WordPress administrators, enabling complete site compromise. Attackers could create new administrator accounts, modify plugin settings, inject backdoors, or redirect site visitors to malicious domains. The reflected nature requires social engineering to trick users into clicking a malicious link, but the impact is significant given the administrative context.