{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10740", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-19T17:34:15.725Z", "datePublished": "2025-10-24T08:23:57.366Z", "dateUpdated": "2026-04-08T16:43:22.408Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:22.408Z"}, "affected": [{"vendor": "rupok98", "product": "URL Shortener Plugin For WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify links."}], "title": "URL Shortener Plugin For WordPress <= 3.0.7 - Missing Authorization to Authenticated (Subscriber+) Link Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29cc5016-005e-48e8-b929-5064798f24da?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Models/LinkAnalytics.php?rev=3210852"}, {"url": "https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Http/Routes/api.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ifoundbug"}], "timeline": [{"time": "2025-10-23T20:11:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-24T16:26:31.707144Z", "id": "CVE-2025-10740", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T16:26:40.492Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10740", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-24T16:26:31.707144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T16:26:35.898Z"}}], "cna": {"title": "URL Shortener Plugin For WordPress <= 3.0.7 - Missing Authorization to Authenticated (Subscriber+) Link Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "ifoundbug"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "rupok98", "product": "URL Shortener Plugin For WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-23T20:11:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29cc5016-005e-48e8-b929-5064798f24da?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Models/LinkAnalytics.php?rev=3210852"}, {"url": "https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Http/Routes/api.php"}], "descriptions": [{"lang": "en", "value": "The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify links."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-24T08:23:57.366Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10740", "state": "PUBLISHED", "dateUpdated": "2025-10-24T16:26:40.492Z", "dateReserved": "2025-09-19T17:34:15.725Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-24T08:23:57.366Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify links."}], "id": "CVE-2025-10740", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-24T09:15:41.303", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Http/Routes/api.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Models/LinkAnalytics.php?rev=3210852"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29cc5016-005e-48e8-b929-5064798f24da?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T23:35:22.051167+00:00", "value": {"mitigation_remediation": ["Update the URL Shortener Plugin to a version newer than 3.0.7, which includes the missing capability check.", "If an update is unavailable, disable or uninstall the plugin for all users or for the Subscriber role to prevent link modification.", "Restrict the Subscriber role\u2019s permissions by removing or limiting any capability that allows link management, ensuring only administrators can modify short links."], "summary": {"action": "Apply patch", "impact": "Unauthorized link modification"}, "threat_synthesis": {"affected_systems": "Vendor rupok98 offers the URL Shortener Plugin for WordPress. Versions up to and including 3.0.7 are affected; all newer releases are presumed fixed.", "description_and_impact": "The URL Shortener Plugin for WordPress is missing a capability check on the verifyRequest function in the API, allowing authenticated users with subscriber-level access or higher to modify short links. This flaw can be exploited to redirect traffic to malicious sites or alter legitimate link destinations, potentially enabling phishing, defacement, or other link abuse. The vulnerability is a classic example of unauthorized access due to missing input validation, as identified in CWE-89.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% suggests the exploitation probability is currently low. The vulnerability is not listed in CISA KEV, further implying limited widespread attacks. Based on the description, it is inferred that the attack requires an authenticated user with subscriber privileges and that the attack vector involves API requests to the plugin or use of the plugin interface; the attacker can manipulate short links."}}}}, "created": "2025-10-27T22:13:17.921417+00:00", "updated": "2026-04-27T23:45:15.887528+00:00", "vendors": ["rupok98", "rupok98$PRODUCT$url_shortener_plugin_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}