Plataforma
wordpress
Componente
broken-link-notifier
Corregido en
1.3.1
CVE-2025-6851 describes a Server-Side Request Forgery (SSRF) vulnerability affecting the Broken Link Notifier plugin for WordPress. This flaw allows unauthenticated attackers to initiate arbitrary web requests through the plugin, potentially exposing internal resources or performing unauthorized actions. Versions 0.0.0 through 1.3.0 are vulnerable. A fix is expected from the plugin developer.
The SSRF vulnerability in Broken Link Notifier allows an attacker to craft malicious requests that originate from the WordPress server. This can be exploited to scan internal networks, access sensitive data stored on internal services (databases, APIs), or even modify data within those services, depending on their access controls. The attacker does not need authentication to exploit this vulnerability, making it a significant risk. Successful exploitation could lead to data breaches, system compromise, and denial of service. This vulnerability shares similarities with other SSRF attacks where internal services are inadvertently exposed to external actors.
CVE-2025-6851 was publicly disclosed on 2025-07-11. The CVSS score is 7.2 (HIGH). No public proof-of-concept (PoC) code has been identified at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. It is not currently listed on the CISA KEV catalog.
WordPress sites using the Broken Link Notifier plugin, particularly those with internal services accessible from the web server, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'ajax_blinks()' /var/www/html/wp-content/plugins/broken-link-notifier/• generic web:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=bln_ajax_blinks&url=http://169.254.169.254/ # Attempt to trigger SSRF to internal IPdisclosure
Estado del Exploit
EPSS
1.58% (81% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-6851 is to upgrade the Broken Link Notifier plugin to a version containing the fix, once released by the developer. In the interim, implement a Web Application Firewall (WAF) with rules to restrict outbound requests from the plugin, specifically blocking requests to internal IP addresses or sensitive internal services. Additionally, consider restricting the plugin's access to network resources through WordPress's capabilities system. After upgrading, verify the fix by attempting to trigger a request to an internal resource and confirming that it is blocked.
Actualice el plugin Broken Link Notifier a la última versión disponible para mitigar la vulnerabilidad de Server-Side Request Forgery. Esta actualización corrige la función ajax_blinks() y evita que atacantes no autenticados realicen solicitudes web arbitrarias desde la aplicación. Consulte la página del plugin en WordPress.org para obtener más información y descargar la última versión.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-6851 is a Server-Side Request Forgery vulnerability in the Broken Link Notifier WordPress plugin, allowing attackers to make requests on behalf of the server. It affects versions 0.0.0 through 1.3.0 and has a HIGH severity rating.
If you are using the Broken Link Notifier plugin in WordPress version 0.0.0 to 1.3.0, you are potentially affected. Check your plugin version and upgrade as soon as a patch is available.
Upgrade the Broken Link Notifier plugin to a patched version. Until a patch is available, implement a WAF to restrict outbound requests and limit plugin access to network resources.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability makes it a likely target. Monitor your systems and implement mitigations proactively.
Check the Broken Link Notifier plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-6851.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.