{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-7507", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-11T20:42:31.722Z", "datePublished": "2025-08-15T08:25:40.562Z", "dateUpdated": "2025-08-15T16:09:44.837Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-15T08:25:40.562Z"}, "affected": [{"vendor": "elinkcontent", "product": "elink \u2013 Embed Content", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The elink \u2013 Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to supply an HTML file that can be leverged to redirect users to a malicious domain."}], "title": "elink \u2013 Embed Content <= 1.1.0 - Authenticated (Contributor+) Insufficient Input Validation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bda249f7-07a9-47ba-bba4-85abd8f8a207?source=cve"}, {"url": "https://wordpress.org/plugins/elink-embed-content/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Shreyas Malhotra"}], "timeline": [{"time": "2025-08-14T20:11:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-15T16:09:09.297566Z", "id": "CVE-2025-7507", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T16:09:44.837Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-15T16:09:09.297566Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T16:09:40.397Z"}}], "cna": {"title": "elink \u2013 Embed Content <= 1.1.0 - Authenticated (Contributor+) Insufficient Input Validation", "credits": [{"lang": "en", "type": "finder", "value": "Shreyas Malhotra"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"}}], "affected": [{"vendor": "elinkcontent", "product": "elink \u2013 Embed Content", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-14T20:11:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bda249f7-07a9-47ba-bba4-85abd8f8a207?source=cve"}, {"url": "https://wordpress.org/plugins/elink-embed-content/"}], "descriptions": [{"lang": "en", "value": "The elink \u2013 Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to supply an HTML file that can be leverged to redirect users to a malicious domain."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-15T08:25:40.562Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7507", "state": "PUBLISHED", "dateUpdated": "2025-08-15T16:09:44.837Z", "dateReserved": "2025-07-11T20:42:31.722Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-15T08:25:40.562Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The elink \u2013 Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to supply an HTML file that can be leverged to redirect users to a malicious domain."}], "id": "CVE-2025-7507", "lastModified": "2025-08-15T13:12:51.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-08-15T09:15:27.603", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/elink-embed-content/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bda249f7-07a9-47ba-bba4-85abd8f8a207?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"created": "2025-08-16T21:40:55.406756+00:00", "updated": "2025-08-16T21:40:55.406827+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}