A missing authorization check in the WordPress URL Shortener plugin allows any user interacting with the site to invoke restricted actions that should be limited to privileged users. This broken access control flaw could enable an attacker to create, modify, or delete shortened URLs and potentially gain further influence over the site’s content or structure. The weakness is a classic example of CWE‑862, where authorization checks fail to constrain user privileges, leading to integrity and availability impacts on the application.

The defect exists in the Md Yeasin Ul Haider URL Shortener plugin (exact-links) for WordPress versions 3.0.7 and earlier. Any WordPress installation that has this plugin installed and has not migrated to a later version is potentially vulnerable.

The CVSS score of 8.6 indicates a high severity due to the breadth of potential impact and the simplicity of the exploit. The EPSS score of less than 1% suggests that the probability of exploitation in the wild is low at this time, and the vulnerability is not yet reported in the CISA KEV catalog. Nevertheless, because the flaw permits unauthenticated or minimally privileged users to trigger protected plugin functionality, an active attacker could exploit it by sending crafted HTTP requests to the plugin’s endpoints. The vulnerability does not require prerequisite code execution, so it can be leveraged directly against a live site where the plugin is exposed.