Platform
wordpress
Component
exact-links
Fixed in
3.0.8
CVE-2025-28959 describes a SQL Injection vulnerability discovered in the URL Shortener plugin. This flaw allows attackers to inject arbitrary SQL code into database queries, potentially leading to unauthorized data access and modification. The vulnerability impacts versions from 0.0.0 through 3.0.7, and a patch is available in version 3.0.8.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the underlying database. This includes the ability to extract sensitive user data (usernames, passwords, email addresses), modify existing data, or even delete entire tables. Depending on the database configuration and application logic, an attacker could potentially gain access to other systems within the network, leading to a significant data breach and disruption of services. The impact is amplified if the database contains credentials for other services or access to sensitive business information.
CVE-2025-28959 was publicly disclosed on 2025-07-16. The vulnerability's severity is considered CRITICAL due to the potential for complete database compromise. No public proof-of-concept exploits have been identified at the time of writing, but the ease of SQL injection exploitation suggests a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-28959 is to immediately upgrade the URL Shortener plugin to version 3.0.8 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL injection attempts. Thoroughly review and sanitize all user inputs to prevent SQL injection attacks. Regularly audit database access logs for suspicious activity.
Update the URL Shortener plugin to a patched version. Refer to the plugin's release notes for specific instructions on how to apply the update and mitigate the SQL Injection vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-28959 is a critical SQL Injection vulnerability affecting the URL Shortener WordPress plugin, allowing attackers to inject malicious SQL code.
You are affected if you are using URL Shortener versions 0.0.0 through 3.0.7. Upgrade to 3.0.8 or later to mitigate the risk.
Upgrade the URL Shortener plugin to version 3.0.8 or later. Consider implementing WAF rules and input sanitization as interim measures.
While no public exploits are currently known, the ease of SQL injection suggests a high probability of exploitation if left unpatched.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.