CVE-2025-10738 - Vulnerability Details

- URL Shortener Plugin For WordPress <= 3.0.7 - Unauthenticated SQL Injection

Description

The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2025-12-13

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The URL Shortener Plugin for WordPress is vulnerable to SQL injection via the analytic_id parameter in all versions up to 3.0.7. The insufficient escaping and lack of prepared statements allow unauthenticated attackers to append arbitrary SQL to the existing query, enabling extraction of sensitive data from the database. This flaw is a classic CWE-89 injection vulnerability that compromises the confidentiality of stored information.

Affected Systems

The vulnerability affects the WordPress URL Shortener Plugin for WordPress developed by rupok98. Any installation of the plugin with a version number 3.0.7 or earlier is impacted. Users of WordPress sites that have not yet migrated to a newer version of the plugin are at risk.

Risk and Exploitability

The CVSS score is 9.8, denoting a critical severity level, while the EPSS score is below 1%, indicating a low probability of exploitation yet still requiring prompt action. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely and without authentication by sending crafted HTTP requests containing an analytic_id value that injects malicious SQL. Once exploited, the attacker could read or manipulate database contents.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

rupok98

URL Shortener Plugin For WordPress

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.0.7

No data.

Vendor	Product	Confidence	Versions
Rupok98	Url Shortener Plugin For Wordpress	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the plugin to a version later than 3.0.7 released by the vendor.
If an update is not immediately available, disable or remove the URL ShortenerPlugin from the WordPress installation to eliminate the attack vector.
Implement input validation or restrict the analytic_id parameter to known safe values and ensure subsequent SQL queries use parameterized statements or proper escaping.

Generated by OpenCVE AI on April 22, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.001.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Models/LinkAnalytics.php?rev=3210852
https://wordpress.org/plugins/exact-links/
https://www.wordfence.com/threat-intel/vulnerabilities/id/1b4acf11-114a-4e97-89cd-1d387f14a730?source=cve

History

Mon, 15 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sun, 14 Dec 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rupok98 Rupok98 url Shortener Plugin For Wordpress Wordpress Wordpress wordpress
Vendors & Products		Rupok98 Rupok98 url Shortener Plugin For Wordpress Wordpress Wordpress wordpress

Sat, 13 Dec 2025 06:45:00 +0000

Type	Values Removed	Values Added
Description		The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		URL Shortener Plugin For WordPress <= 3.0.7 - Unauthenticated SQL Injection
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Models/LinkAnalytics.php?rev=3210852 https://wordpress.org/plugins/exact-links/ https://www.wordfence.com/threat-intel/vulnerabilities/id/1b4acf11-114a-4e97-89cd-1d387f14a730?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Rupok98 Url Shortener Plugin For Wordpress

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-13T06:33:55.887Z

Updated: 2026-04-08T16:38:13.910Z

Reserved: 2025-09-19T16:18:05.852Z

Link: CVE-2025-10738

Vulnrichment

Updated: 2025-12-15T15:30:19.979Z

NVD

Status : Deferred

Published: 2025-12-13T16:16:44.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10738

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T20:45:27Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object