{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9949", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-03T13:40:10.996Z", "datePublished": "2025-09-20T04:27:56.609Z", "dateUpdated": "2026-04-08T17:28:49.051Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:49.051Z"}, "affected": [{"vendor": "webraketen", "product": "Internal Links Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Internal Links Manager <= 3.0.1 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e5e143-c4de-4312-8c8b-acf7ef60e0d5?source=cve"}, {"url": "https://wordpress.org/plugins/seo-automated-link-building/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362770%40seo-automated-link-building&new=3362770%40seo-automated-link-building&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "beven nyamande"}], "timeline": [{"time": "2025-09-09T13:47:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-19T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-22T15:05:09.967759Z", "id": "CVE-2025-9949", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T15:05:21.542Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-22T15:05:09.967759Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T15:05:14.326Z"}}], "cna": {"title": "Internal Links Manager <= 3.0.1 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "beven nyamande"}, {"lang": "en", "type": "finder", "value": "stealth"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webraketen", "product": "Internal Links Manager", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-09T13:47:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-19T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e5e143-c4de-4312-8c8b-acf7ef60e0d5?source=cve"}, {"url": "https://wordpress.org/plugins/seo-automated-link-building/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362770%40seo-automated-link-building&new=3362770%40seo-automated-link-building&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-20T04:27:56.609Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9949", "state": "PUBLISHED", "dateUpdated": "2025-09-22T15:05:21.542Z", "dateReserved": "2025-09-03T13:40:10.996Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-20T04:27:56.609Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9949", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-20T05:15:35.840", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362770%40seo-automated-link-building&new=3362770%40seo-automated-link-building&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/seo-automated-link-building/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e5e143-c4de-4312-8c8b-acf7ef60e0d5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:46:43.457915+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Internal Links Manager plugin version once a patch is released.", "If a newer release is not yet available, edit or disable the bulk link deletion functionality to remove the vulnerable process_bulk_action endpoint.", "Apply strong authentication controls and session management for administrators to mitigate the risk of accidental CSRF attacks.", "Monitor site logs for unexpected link deletions and audit user activity for signs of exploitation."], "summary": {"action": "Patch", "impact": "Unauthorized deletion of SEO links via cross\u2011site request forgery"}, "threat_synthesis": {"affected_systems": "WordPress plugin Internal Links Manager from vendor webraketen, affecting all releases up to and including version 3.0.1. No specific sub\u2011versions within that range are singled out; any installation of 3.0.1 or earlier is vulnerable.", "description_and_impact": "The vulnerability in the Internal Links Manager plugin allows a forged request to bypass nonce validation in the link deletion workflow, enabling an attacker to delete SEO links without authentication. This results in accidental removal of internal link data that could affect site search ranking and content integrity. The flaw is a classic CSRF weakness, classified as CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to trick a site administrator into executing a URL that triggers the bulk deletion action, so social engineering remains a prerequisite. If successful, the attacker gains the ability to delete internal links, potentially derailing SEO efforts but not compromising the core WordPress installation."}}}}, "created": "2025-09-22T09:58:55.760453+00:00", "updated": "2026-04-20T22:00:11.180319+00:00", "vendors": ["webraketen", "webraketen$PRODUCT$internal_links_manager_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}