Description
The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify links.
Published: 2025-10-24
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized link modification
Action: Apply patch
AI Analysis

Impact

The URL Shortener Plugin for WordPress is missing a capability check on the verifyRequest function in the API, allowing authenticated users with subscriber-level access or higher to modify short links. This flaw can be exploited to redirect traffic to malicious sites or alter legitimate link destinations, potentially enabling phishing, defacement, or other link abuse. The vulnerability is a classic example of unauthorized access due to missing input validation, as identified in CWE-89.

Affected Systems

Vendor rupok98 offers the URL Shortener Plugin for WordPress. Versions up to and including 3.0.7 are affected; all newer releases are presumed fixed.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% suggests the exploitation probability is currently low. The vulnerability is not listed in CISA KEV, further implying limited widespread attacks. Based on the description, it is inferred that the attack requires an authenticated user with subscriber privileges and that the attack vector involves API requests to the plugin or use of the plugin interface; the attacker can manipulate short links.

Generated by OpenCVE AI on April 27, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the URL Shortener Plugin to a version newer than 3.0.7, which includes the missing capability check.
  • If an update is unavailable, disable or uninstall the plugin for all users or for the Subscriber role to prevent link modification.
  • Restrict the Subscriber role’s permissions by removing or limiting any capability that allows link management, ensuring only administrators can modify short links.

Generated by OpenCVE AI on April 27, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Rupok98
Rupok98 url Shortener Plugin For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Rupok98
Rupok98 url Shortener Plugin For Wordpress
Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify links.
Title URL Shortener Plugin For WordPress <= 3.0.7 - Missing Authorization to Authenticated (Subscriber+) Link Manipulation
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Rupok98 Url Shortener Plugin For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:22.408Z

Reserved: 2025-09-19T17:34:15.725Z

Link: CVE-2025-10740

cve-icon Vulnrichment

Updated: 2025-10-24T16:26:35.898Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T09:15:41.303

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:45:15Z

Weaknesses