Description
The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of SEO links via cross‑site request forgery
Action: Patch
AI Analysis

Impact

The vulnerability in the Internal Links Manager plugin allows a forged request to bypass nonce validation in the link deletion workflow, enabling an attacker to delete SEO links without authentication. This results in accidental removal of internal link data that could affect site search ranking and content integrity. The flaw is a classic CSRF weakness, classified as CWE‑352.

Affected Systems

WordPress plugin Internal Links Manager from vendor webraketen, affecting all releases up to and including version 3.0.1. No specific sub‑versions within that range are singled out; any installation of 3.0.1 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to trick a site administrator into executing a URL that triggers the bulk deletion action, so social engineering remains a prerequisite. If successful, the attacker gains the ability to delete internal links, potentially derailing SEO efforts but not compromising the core WordPress installation.

Generated by OpenCVE AI on April 20, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Internal Links Manager plugin version once a patch is released.
  • If a newer release is not yet available, edit or disable the bulk link deletion functionality to remove the vulnerable process_bulk_action endpoint.
  • Apply strong authentication controls and session management for administrators to mitigate the risk of accidental CSRF attacks.
  • Monitor site logs for unexpected link deletions and audit user activity for signs of exploitation.

Generated by OpenCVE AI on April 20, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30309 The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 22 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Webraketen
Webraketen internal Links Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Webraketen
Webraketen internal Links Manager Plugin
Wordpress
Wordpress wordpress

Sat, 20 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Internal Links Manager <= 3.0.1 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Webraketen Internal Links Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:49.051Z

Reserved: 2025-09-03T13:40:10.996Z

Link: CVE-2025-9949

cve-icon Vulnrichment

Updated: 2025-09-22T15:05:14.326Z

cve-icon NVD

Status : Deferred

Published: 2025-09-20T05:15:35.840

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses