vulnerability

WordPress Plugin: broken-link-notifier: CVE-2025-6851: Server-Side Request Forgery (SSRF)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Jul 10, 2025

Added

Jul 11, 2025

Modified

Apr 30, 2026

Description

The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Solution

broken-link-notifier-plugin-cve-2025-6851

References

https://www.cve.org/CVERecord?id=CVE-2025-6851
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f76c9f8-c57a-4875-b581-f67c9c60021c?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-21125
CVE-2025-6851
https://attackerkb.com/topics/CVE-2025-6851
CWE-918
EUVD-EUVD-2025-21125

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report