CVE-2025-28965

2025-07-16 [email protected]
WordPress PHP Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects URL Shortener: from n/a through <= 3.0.7.

AnalysisAI

Missing authorization controls in the exact-links WordPress URL Shortener plugin (versions up to 3.0.7) allow unauthenticated or low-privileged attackers to access functionality that should be restricted by access control lists. The vulnerability stems from improper ACL enforcement, enabling unauthorized users to perform actions beyond their intended permissions without authentication requirements.

Technical ContextAI

The exact-links URL Shortener plugin fails to properly implement authorization checks (CWE-862: Missing Authorization) on sensitive functionality. The underlying issue is a broken access control mechanism where the application does not adequately verify user permissions before granting access to restricted features. This is a common vulnerability in WordPress plugins where developers forget to implement capability checks via functions like current_user_can() or fail to validate nonce tokens before processing administrative or user-restricted operations. The plugin's architecture appears to expose functionality endpoints without proper ACL validation, allowing direct access bypass.

Affected ProductsAI

The exact-links WordPress URL Shortener plugin is affected in versions through 3.0.7. The vulnerability impacts all installations running this plugin up to and including version 3.0.7. Affected users can identify this plugin via the CPE reference for WordPress plugins and should check their installed version against the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/exact-links/vulnerability/wordpress-url-shortener-3-0-7-broken-access-control-vulnerability?_s_id=cve.

RemediationAI

Update the exact-links WordPress URL Shortener plugin to a patched version beyond 3.0.7. Users should navigate to their WordPress plugin dashboard, locate the exact-links plugin, and click 'Update' if a newer version is available. If a patched version is not yet available on WordPress.org, check the Patchstack advisory for vendor guidance and timeline. As a temporary mitigation, disable the exact-links plugin entirely until a security update is released. Additionally, audit user roles and capabilities to ensure no unintended access has been granted, and consider implementing Web Application Firewall (WAF) rules to block unauthorized access attempts to plugin functionality endpoints.

Share

CVE-2025-28965 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy