Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia ShortLinks Pro shortlinkspro allows SQL Injection.This issue affects ShortLinks Pro: from n/a through <= 1.0.7.
Published: 2025-06-06
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ShortLinks Pro plugin, developed by Ruben Garcia, contains an improper handling of user input that allows an attacker to inject arbitrary SQL commands into database queries. This flaw, identified as CWE‑89, can lead to unauthorized disclosure, modification, or deletion of data stored in the WordPress site’s database, compromising confidentiality, integrity, and potentially availability. The vulnerability affects all installations running ShortLinks Pro version 1.0.7 or earlier.

Affected Systems

WordPress sites that have the ShortLinks Pro plugin version 1.0.7 or earlier installed. Any installation using a vulnerable version is within scope.

Risk and Exploitability

The risk rating is CVSS 7.6, indicating a high severity. The EPSS score of less than 1% suggests a low probability of exploitation at the time of assessment, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit this vulnerability remotely by supplying malicious payloads through the plugin’s input fields or URL parameters, requiring network access to the WordPress site and the ability to submit requests. Successful exploitation could permit read or write access to the database depending on the database user's privileges.

Generated by OpenCVE AI on May 1, 2026 at 07:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShortLinks Pro (Ruben Garcia) to a version newer than 1.0.7.
  • If an update cannot be performed immediately, disable or delete the ShortLinks Pro plugin to eliminate the vulnerable code path.
  • Restrict the database user privileges associated with WordPress to the minimum required and ensure any remaining input is properly sanitized or escaped.

Generated by OpenCVE AI on May 1, 2026 at 07:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17245 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia ShortLinks Pro allows SQL Injection. This issue affects ShortLinks Pro: from n/a through 1.0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia ShortLinks Pro allows SQL Injection. This issue affects ShortLinks Pro: from n/a through 1.0.7. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia ShortLinks Pro shortlinkspro allows SQL Injection.This issue affects ShortLinks Pro: from n/a through <= 1.0.7.
Title WordPress ShortLinks Pro <= 1.0.7 - SQL Injection Vulnerability WordPress ShortLinks Pro plugin <= 1.0.7 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia ShortLinks Pro allows SQL Injection. This issue affects ShortLinks Pro: from n/a through 1.0.7.
Title WordPress ShortLinks Pro <= 1.0.7 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:01.796Z

Reserved: 2025-06-04T09:42:17.747Z

Link: CVE-2025-49327

cve-icon Vulnrichment

Updated: 2025-06-06T15:38:32.949Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:50.083

Modified: 2026-04-23T15:31:28.420

Link: CVE-2025-49327

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:00:13Z

Weaknesses