URL Shortener Plugin For WordPress <= 3.0.7 - Unauthenticated SQL Injection
traduction en cours…Plateforme
wordpress
Composant
exact-links
Corrigé dans
3.0.8
A critical SQL Injection vulnerability (CVE-2025-10738) has been identified in the URL Shortener Plugin For WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized access and data exfiltration. The vulnerability affects versions from 0.0.0 up to and including 3.0.7. A patch is expected to be released by the plugin developer.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The SQL Injection vulnerability in the URL Shortener Plugin For WordPress poses a significant risk to WordPress websites utilizing this plugin. An attacker could exploit this flaw by manipulating the 'analytic_id' parameter to inject arbitrary SQL code. Successful exploitation could allow an attacker to bypass authentication, read sensitive data stored in the WordPress database (such as user credentials, post content, and configuration details), modify data, or even execute commands on the server. The potential impact extends to the compromise of the entire WordPress installation and any connected systems. This vulnerability shares similarities with other SQL Injection attacks, where attackers leverage database queries to gain unauthorized access.
Contexte d'Exploitationtraduction en cours…
CVE-2025-10738 was publicly disclosed on 2025-12-13. The vulnerability's CRITICAL CVSS score (9.8) indicates a high probability of exploitation. Currently, no public proof-of-concept (POC) code has been released, but the ease of exploitation inherent in SQL Injection vulnerabilities suggests that a POC is likely to emerge. Monitor security advisories and threat intelligence feeds for updates.
Qui Est à Risquetraduction en cours…
WordPress websites utilizing the URL Shortener Plugin For WordPress, particularly those running older, unpatched versions (0.0.0–3.0.7), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r "SELECT * FROM wp_options WHERE option_name = 'analytic_id'" /var/www/html/wp-content/plugins/url-shortener-plugin-for-wordpress/*• generic web:
curl -I 'https://your-wordpress-site.com/?analytic_id='; # Check for unusual SQL syntax in the response headers• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'url-shortener-plugin-for-wordpress'• wordpress / composer / npm:
wp plugin list --status=active | grep 'url-shortener-plugin-for-wordpress'Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.10% (percentile 27%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-10738 is to immediately upgrade the URL Shortener Plugin For WordPress to a patched version once available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL syntax in the 'analytic_id' parameter. Regularly review WordPress database user permissions to limit the potential damage from a successful attack. Monitor WordPress access logs for unusual SQL query patterns.
Comment corrigertraduction en cours…
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-10738 — SQL Injection in URL Shortener Plugin For WordPress?
CVE-2025-10738 is a critical SQL Injection vulnerability affecting versions 0.0.0–3.0.7 of the URL Shortener Plugin For WordPress, allowing attackers to extract data.
Am I affected by CVE-2025-10738 in URL Shortener Plugin For WordPress?
If you are using the URL Shortener Plugin For WordPress version 0.0.0 through 3.0.7, you are potentially affected and should upgrade immediately.
How do I fix CVE-2025-10738 in URL Shortener Plugin For WordPress?
Upgrade to the latest patched version of the plugin as soon as it becomes available. Disable the plugin as a temporary workaround until the patch is applied.
Is CVE-2025-10738 being actively exploited?
While no active exploitation has been confirmed, the high severity and ease of exploitation suggest a high likelihood of exploitation in the near future.
Where can I find the official URL Shortener Plugin For WordPress advisory for CVE-2025-10738?
Check the plugin developer's website and WordPress.org plugin page for updates and security advisories related to CVE-2025-10738.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.