Server-Side Request Forgery Vulnerability in Broken Link Notifier Plugin for WordPress
CVE-2025-6851

7.2HIGH

Key Information:

Vendor: WordPress
Status: Broken Link Notifier
Vendor: CVE Published:; 11 July 2025

What is CVE-2025-6851?

The Broken Link Notifier plugin for WordPress is exposed to a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 1.3.0. This vulnerability resides in the ajax_blinks() function, which calls check_url_status_code(). It allows unauthenticated attackers to send web requests to arbitrary locations from the web application, thereby enabling potential information querying and modification from internal services. Proper security measures should be taken to mitigate the risks associated with this vulnerability.

Affected Version(s)

Broken Link Notifier * <= 1.3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 11, 2025
Vulnerability Reserved
Jun 27, 2025

Credit

Jonas Benjamin Friedli