CVE-2025-6851 Scanner

WordPress is a widely used content management system that powers millions of websites worldwide. It offers a range of plugins and themes, allowing users to customize their sites to meet specific needs. One such plugin, the Broken Link Notifier, helps website administrators identify and rectify dead links within their sites. This plugin sends notifications whenever a broken link is detected, aiding in maintaining the website's integrity and user experience. By automating this process, the tool saves time and enhances the efficiency of web management. It is primarily utilized by bloggers, businesses, and developers to ensure optimal functionality and SEO performance.

Server-Side Request Forgery (SSRF) is a vulnerability that allows attackers to send crafted requests from a vulnerable server. In this instance, the WordPress Broken Link Notifier plugin is susceptible to SSRF, enabling unauthenticated attackers to make web requests to arbitrary locations from the web application. This flaw stems from the ajax_blinks() function, eventually leading to the check_url_status_code() execution, opening a gateway for attackers. As a result, malicious individuals can perform unauthorized actions, potentially accessing sensitive internal resources. The severity of this issue underscores the need for timely remediation.

The vulnerability is present in the Broken Link Notifier plugin, particularly affecting versions up to 1.3.0. The SSRF occurs through the ajax_blinks() function, executing the check_url_status_code(), allowing unchecked requests. An attacker could exploit this by crafting specific POST requests that include nonces generated from prior interactions with the plugin. This sequence of actions could lead to unauthorized access through internal network resources, presenting significant security risks. The lack of proper validation in these functions is the primary cause of this vulnerability.

If exploited, SSRF vulnerabilities can have severe consequences for the affected WordPress site. Attackers may gain inappropriate access to internal services and sensitive information. Furthermore, they might use the assault point as a staging ground for further infiltration into connected systems. SSRF can lead to unauthorized reading of local files or even manipulation of resources within the host. The outcome could be widespread disruption or data breaches, risking user privacy and organizational integrity.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2025-6851
• https://wpscan.com/vulnerability/CVE-2025-6851
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/broken-link-notifier/broken-link-notifier-130-unauthenticated-server-side-request-forgery