Description
Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through <= 7.8.7.
Published: 2025-12-24
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Server Side Request Forgery flaw in the WordPress Link Library plugin. An attacker can cause the server to fetch arbitrary URLs, potentially accessing internal network resources or exfiltrating data. This flaw maps to CWE‑918 and can lead to confidentiality breaches and restrict integrity of remote resources. No direct code execution is provided, but unintended requests could expose sensitive information or enable further attacks.

Affected Systems

WordPress sites running the Link Library plugin from version 7.8.7 or earlier are affected. The plugin, developed by Yannick Lefebvre, is used to manage link collections in WordPress installations. No specific environment constraints are listed, so any WordPress installation including the vulnerable plugin version is at risk.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate risk. The EPSS score of less than 1% suggests the likelihood of exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to inject a malicious link or otherwise influence the plugin to process a crafted URL; thus the exploit vector is likely through authenticated or unauthenticated content submission. Given the moderate severity and low exploitation probability, the overall risk is moderate but still warrants monitoring.

Generated by OpenCVE AI on April 29, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Link Library plugin to the latest version (7.8.8 or newer) once an update is available.
  • Configure WordPress to block outbound HTTP requests by adding `define( 'WP_HTTP_BLOCK_EXTERNAL', true );` to wp-config.php.
  • Restrict outbound connections at the network level by firewalling traffic from the web server to internal or sensitive IP ranges.

Generated by OpenCVE AI on April 29, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through <= 7.8.4. Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through <= 7.8.7.
Title WordPress Link Library plugin <= 7.8.4 - Server Side Request Forgery (SSRF) vulnerability WordPress Link Library plugin <= 7.8.7 - Server Side Request Forgery (SSRF) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Ylefebvre
Ylefebvre link Library
Vendors & Products Wordpress
Wordpress wordpress
Ylefebvre
Ylefebvre link Library

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through <= 7.8.4.
Title WordPress Link Library plugin <= 7.8.4 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Wordpress Wordpress
Ylefebvre Link Library
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:31.242Z

Reserved: 2025-12-19T10:20:05.495Z

Link: CVE-2025-68600

cve-icon Vulnrichment

Updated: 2025-12-24T18:44:51.659Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:27.530

Modified: 2026-04-27T19:16:35.787

Link: CVE-2025-68600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:30:14Z

Weaknesses