The vulnerability is a Server Side Request Forgery (SSRF) flaw in the Md Yeasin Ul Haider URL Shortener "exact-links" plugin. It permits an attacker to cause the server to make arbitrary HTTP or HTTPS requests to internal or external resources. Based on the description, it is inferred that the attacker could potentially expose sensitive internal data, facilitate further lateral movement, or enable access to services that are otherwise inaccessible from the public network. The weakness is identified as CWE‑918.

The affected product is the Md Yeasin Ul Haider URL Shortener plugin, versions from the earliest available through 3.0.7 inclusive. No specific sub‑versions beyond the upper bound are listed.

The CVSS score of 5.4 indicates moderate severity. The EPSS score is reported as < 1 %, suggesting a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, triggered via a crafted request to the plugin endpoint. Based on the description, it is inferred that an attacker could supply a malicious URL parameter, causing the server to fetch a target resource and potentially expose internal networks or sensitive data. The absence of a publicly documented exploitation example means the path is theoretically possible but unverified in the wild.