CVE-2025-11262 is a stored XSS vulnerability in the Link Whisper Free WordPress plugin affecting all versions up to and including 0.9.0. Unauthenticated attackers can inject malicious scripts via the user_id parameter, with stored payloads executing in the browser of every subsequent visitor to affected pages. The zero-authentication requirement and stored delivery mechanism make this a broad-reach vulnerability on any public WordPress site running this plugin.