Platform
wordpress
Component
exact-links
Fixed in
3.0.8
A critical SQL Injection vulnerability (CVE-2025-10738) has been identified in the URL Shortener Plugin For WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized access and data exfiltration. The vulnerability affects versions from 0.0.0 up to and including 3.0.7. A patch is expected to be released by the plugin developer.
The SQL Injection vulnerability in the URL Shortener Plugin For WordPress poses a significant risk to WordPress websites utilizing this plugin. An attacker could exploit this flaw by manipulating the 'analytic_id' parameter to inject arbitrary SQL code. Successful exploitation could allow an attacker to bypass authentication, read sensitive data stored in the WordPress database (such as user credentials, post content, and configuration details), modify data, or even execute commands on the server. The potential impact extends to the compromise of the entire WordPress installation and any connected systems. This vulnerability shares similarities with other SQL Injection attacks, where attackers leverage database queries to gain unauthorized access.
CVE-2025-10738 was publicly disclosed on 2025-12-13. The vulnerability's CRITICAL CVSS score (9.8) indicates a high probability of exploitation. Currently, no public proof-of-concept (POC) code has been released, but the ease of exploitation inherent in SQL Injection vulnerabilities suggests that a POC is likely to emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-10738 is to immediately upgrade the URL Shortener Plugin For WordPress to a patched version once available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL syntax in the 'analytic_id' parameter. Regularly review WordPress database user permissions to limit the potential damage from a successful attack. Monitor WordPress access logs for unusual SQL query patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10738 is a critical SQL Injection vulnerability affecting versions 0.0.0–3.0.7 of the URL Shortener Plugin For WordPress, allowing attackers to extract data.
If you are using the URL Shortener Plugin For WordPress version 0.0.0 through 3.0.7, you are potentially affected and should upgrade immediately.
Upgrade to the latest patched version of the plugin as soon as it becomes available. Disable the plugin as a temporary workaround until the patch is applied.
While no active exploitation has been confirmed, the high severity and ease of exploitation suggest a high likelihood of exploitation in the near future.
Check the plugin developer's website and WordPress.org plugin page for updates and security advisories related to CVE-2025-10738.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.