Lifecycle Timeline
2DescriptionNVD
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows SQL Injection.This issue affects URL Shortener: from n/a through <= 3.0.7.
AnalysisAI
SQL injection vulnerability in Md Yeasin Ul Haider URL Shortener (exact-links) plugin versions up to 3.0.7 allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability stems from improper sanitization of user-supplied input in SQL commands, enabling data exfiltration, modification, or deletion depending on database permissions. Actively exploited status unknown, though the issue affects a WordPress plugin with broad installation base; EPSS probability is low at 0.05% percentile, suggesting limited real-world exploitation despite technical severity.
Technical ContextAI
The vulnerability is a classic SQL injection flaw (CWE-89) in a WordPress URL shortener plugin that fails to neutralize special SQL metacharacters in user input before constructing database queries. The exact-links plugin, maintained by Md Yeasin Ul Haider, likely concatenates unsanitized GET/POST parameters directly into SQL WHERE, SELECT, or INSERT statements without using prepared statements or parameterized queries. WordPress plugins handling URL shortening typically interact with the wp_posts or custom plugin tables; inadequate input validation allows attackers to inject SQL commands such as UNION-based queries, Boolean-based blind SQLi, or time-based blind queries. The affected CPE is implied to be a WordPress plugin: cpe:2:a:md_yeasin_ul_haider:exact-links:*:*:*:*:*:wordpress:*:*.
Affected ProductsAI
Md Yeasin Ul Haider URL Shortener plugin (exact-links) version 3.0.7 and all earlier versions are affected. The plugin is distributed via WordPress.org and runs on WordPress-compatible environments (PHP-based content management systems). Affected installations include any WordPress site with exact-links plugin active and unpatched through version 3.0.7. The vulnerable product is cataloged at https://patchstack.com/database/Wordpress/Plugin/exact-links/vulnerability/wordpress-url-shortener-3-0-7-sql-injection-vulnerability?_s_id=cve.
RemediationAI
Update the exact-links plugin to a version greater than 3.0.7 immediately. No specific patched version is confirmed in provided data; verify availability via WordPress.org plugin repository or contact the plugin maintainer at the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/exact-links/vulnerability/wordpress-url-shortener-3-0-7-sql-injection-vulnerability?_s_id=cve). As an interim measure, restrict plugin functionality to authenticated users only via WordPress role-based access control, disable the plugin if not actively used, or apply Web Application Firewall (WAF) rules to block SQL injection payloads (e.g., blocking quotes, UNION keywords in URL parameters). Ensure all database user accounts used by WordPress run with minimal required privileges (no DROP or TRUNCATE permissions).
Share
External POC / Exploit Code
Leaving vuln.today