Description
The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-07-11
Score: 7.2 High
EPSS: 1.9% Low
KEV: No
Impact: Server‑Side Request Forgery (unauthenticated)
Action: Immediate Patch
AI Analysis

Impact

The Broken Link Notifier plugin allows an unauthenticated attacker to cause the web application to issue HTTP requests to arbitrary destinations through the ajax_blinks() handler. This Server‑Side Request Forgery can be used to interrogate or change data from internal services, potentially exposing sensitive information or undermining service integrity. The weakness is identified as CWE‑918 and presents a security impact that includes confidentiality, integrity, and availability concerns for internal resources.

Affected Systems

The vulnerability affects the PluginRX "Broken Link Notifier" WordPress plugin in all releases up to and including version 1.3.0. Any WordPress site that has a version of this plugin in that range is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 7.2, the vulnerability is considered high severity. The EPSS score of 2% indicates a moderate likelihood that exploitation will occur, and the issue is not yet listed in the CISA KEV catalog. Attack vectors require an unauthenticated HTTP request to the plugin’s AJAX endpoint, suggesting that attackers could be any external user who can submit a crafted request to the site.

Generated by OpenCVE AI on April 22, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Broken Link Notifier to the latest available version (greater than 1.3.0).
  • If an update cannot be applied immediately, block outbound requests from the WordPress site or restrict the AJAX endpoint by adjusting the web server rules or firewall to prevent the plugin from contacting internal networks.
  • Re‑evaluate the plugin’s configuration to ensure that only authorized users can trigger the observable functions, and consider removing or disabling the ajax_blinks feature until the issue is resolved.

Generated by OpenCVE AI on April 22, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21125 The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
History

Thu, 17 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Pluginrx
Pluginrx broken Link Notifier
CPEs cpe:2.3:a:pluginrx:broken_link_notifier:*:*:*:*:*:wordpress:*:*
Vendors & Products Pluginrx
Pluginrx broken Link Notifier

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00052}

Fri, 11 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

Fri, 11 Jul 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Broken Link Notifier <= 1.3.0 - Unauthenticated Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Pluginrx Broken Link Notifier
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:43.420Z

Reserved: 2025-06-27T18:57:21.368Z

Link: CVE-2025-6851

cve-icon Vulnrichment

Updated: 2025-07-11T15:33:21.796Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-11T09:15:25.370

Modified: 2025-07-17T13:11:21.863

Link: CVE-2025-6851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses