प्लेटफ़ॉर्म
wordpress
घटक
exact-links
में ठीक किया गया
3.0.8
A critical SQL Injection vulnerability (CVE-2025-10738) has been identified in the URL Shortener Plugin For WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized access and data exfiltration. The vulnerability affects versions from 0.0.0 up to and including 3.0.7. A patch is expected to be released by the plugin developer.
The SQL Injection vulnerability in the URL Shortener Plugin For WordPress poses a significant risk to WordPress websites utilizing this plugin. An attacker could exploit this flaw by manipulating the 'analytic_id' parameter to inject arbitrary SQL code. Successful exploitation could allow an attacker to bypass authentication, read sensitive data stored in the WordPress database (such as user credentials, post content, and configuration details), modify data, or even execute commands on the server. The potential impact extends to the compromise of the entire WordPress installation and any connected systems. This vulnerability shares similarities with other SQL Injection attacks, where attackers leverage database queries to gain unauthorized access.
CVE-2025-10738 was publicly disclosed on 2025-12-13. The vulnerability's CRITICAL CVSS score (9.8) indicates a high probability of exploitation. Currently, no public proof-of-concept (POC) code has been released, but the ease of exploitation inherent in SQL Injection vulnerabilities suggests that a POC is likely to emerge. Monitor security advisories and threat intelligence feeds for updates.
WordPress websites utilizing the URL Shortener Plugin For WordPress, particularly those running older, unpatched versions (0.0.0–3.0.7), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "SELECT * FROM wp_options WHERE option_name = 'analytic_id'" /var/www/html/wp-content/plugins/url-shortener-plugin-for-wordpress/*• generic web:
curl -I 'https://your-wordpress-site.com/?analytic_id='; # Check for unusual SQL syntax in the response headers• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'url-shortener-plugin-for-wordpress'• wordpress / composer / npm:
wp plugin list --status=active | grep 'url-shortener-plugin-for-wordpress'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.10% (27% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-10738 is to immediately upgrade the URL Shortener Plugin For WordPress to a patched version once available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL syntax in the 'analytic_id' parameter. Regularly review WordPress database user permissions to limit the potential damage from a successful attack. Monitor WordPress access logs for unusual SQL query patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-10738 is a critical SQL Injection vulnerability affecting versions 0.0.0–3.0.7 of the URL Shortener Plugin For WordPress, allowing attackers to extract data.
If you are using the URL Shortener Plugin For WordPress version 0.0.0 through 3.0.7, you are potentially affected and should upgrade immediately.
Upgrade to the latest patched version of the plugin as soon as it becomes available. Disable the plugin as a temporary workaround until the patch is applied.
While no active exploitation has been confirmed, the high severity and ease of exploitation suggest a high likelihood of exploitation in the near future.
Check the plugin developer's website and WordPress.org plugin page for updates and security advisories related to CVE-2025-10738.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।