Plattform
wordpress
Komponente
exact-links
Behoben in
3.0.8
CVE-2025-28959 describes a SQL Injection vulnerability discovered in the URL Shortener plugin. This flaw allows attackers to inject arbitrary SQL code into database queries, potentially leading to unauthorized data access and modification. The vulnerability impacts versions from 0.0.0 through 3.0.7, and a patch is available in version 3.0.8.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the underlying database. This includes the ability to extract sensitive user data (usernames, passwords, email addresses), modify existing data, or even delete entire tables. Depending on the database configuration and application logic, an attacker could potentially gain access to other systems within the network, leading to a significant data breach and disruption of services. The impact is amplified if the database contains credentials for other services or access to sensitive business information.
CVE-2025-28959 was publicly disclosed on 2025-07-16. The vulnerability's severity is considered CRITICAL due to the potential for complete database compromise. No public proof-of-concept exploits have been identified at the time of writing, but the ease of SQL injection exploitation suggests a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the URL Shortener plugin, particularly those running older versions (0.0.0–3.0.7), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose the databases of others.
• wordpress / composer / npm:
grep -r "Md Yeasin Ul Haider URL Shortener" /var/www/html/
wp plugin list | grep "URL Shortener"• generic web:
curl -I https://your-wordpress-site.com/exact-links/ | grep SQLdisclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-28959 is to immediately upgrade the URL Shortener plugin to version 3.0.8 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL injection attempts. Thoroughly review and sanitize all user inputs to prevent SQL injection attacks. Regularly audit database access logs for suspicious activity.
Actualice el plugin URL Shortener a una versión corregida. Consulte las notas de la versión del plugin para obtener instrucciones específicas sobre cómo aplicar la actualización y mitigar la vulnerabilidad de inyección SQL.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-28959 is a critical SQL Injection vulnerability affecting the URL Shortener WordPress plugin, allowing attackers to inject malicious SQL code.
You are affected if you are using URL Shortener versions 0.0.0 through 3.0.7. Upgrade to 3.0.8 or later to mitigate the risk.
Upgrade the URL Shortener plugin to version 3.0.8 or later. Consider implementing WAF rules and input sanitization as interim measures.
While no public exploits are currently known, the ease of SQL injection suggests a high probability of exploitation if left unpatched.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.