What the vulnerability does
01Description
The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to SQL Injection via the export_csv() function in all versions up to, and including, 2.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower level users if access to the plugin is granted.
Explanation of Vulnerability in Simple Terms
02Summary
ClickWhale Link Manager versions up to 2.5.0 contain a SQL injection vulnerability in a database query that requires administrator privileges to exploit. An authenticated admin can inject malicious SQL code to read sensitive data from the database, such as user credentials or configuration details. The vulnerability does not allow data modification or system unavailability. Update to a version newer than 2.5.0 when available.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site database, such as user credentials or configuration information.
Potential impact on your site
04Site Impact
An admin account compromise could expose your database contents, including user data and site secrets.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access to the ClickWhale plugin.
Key dates
06Disclosure timeline
September 20, 2025
CVE published
April 8, 2026
Record updated
