Skip to main content

Md Yeasin Ul Haider URL Shortener CVE-2025-28961

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2025-07-16 audit@patchstack.com
Deserialization
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.8 (CRITICAL)
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Object Injection.This issue affects URL Shortener: from n/a through <= 3.0.7.

AnalysisAI

Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.

Technical ContextAI

The exact-links URL shortener plugin for WordPress improperly deserializes untrusted data, likely via user-supplied input in GET/POST parameters or stored data retrieved from the database. PHP object injection vulnerabilities (CWE-502: Deserialization of Untrusted Data) occur when the unserialize() function processes attacker-controlled strings without prior validation or use of the safe options_allowed_classes parameter. This allows instantiation of arbitrary classes available in the WordPress/plugin scope, potentially triggering dangerous magic methods (__wakeup, __destruct, __toString) that can read files, write to the filesystem, or execute code depending on what gadget chains are available in loaded libraries.

Affected ProductsAI

The exact-links WordPress plugin by Md Yeasin Ul Haider is affected in versions 3.0.7 and all earlier versions (no specified lower bound). The plugin is available on the WordPress plugin repository and is identified by the Patchstack CVE record. CPE information is not formally issued, but the affected product is wordpress-url-shortener (plugin slug: exact-links). Users can verify their installed version via the WordPress admin dashboard under Plugins.

RemediationAI

Update the exact-links plugin to a patched version released after 3.0.7. Check the official WordPress plugin repository or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/exact-links/vulnerability/wordpress-url-shortener-3-0-7-php-object-injection-vulnerability?_s_id=cve) for the latest available version and patch release notes. If no patched version is immediately available, disable or remove the exact-links plugin until an update is released by the maintainer. Additionally, review WordPress error logs and any custom deserialization handling in active plugins for similar patterns; consider using WordPress security plugins to monitor for suspicious serialized object activity.

Share

CVE-2025-28961 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy