Skip to main content

Yannick Lefebvre Link Library CVE-2025-68600

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2025-12-24 audit@patchstack.com
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Apr 23, 2026 - 15:43 NVD
CRITICAL MEDIUM
CVSS changed
Apr 23, 2026 - 15:43 NVD
9.1 (CRITICAL) 4.9 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
CRITICAL 9.1

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through <= 7.8.7.

AnalysisAI

Server-Side Request Forgery in WordPress Link Library plugin versions up to 7.8.7 allows unauthenticated remote attackers to make arbitrary HTTP requests from the server, potentially accessing internal resources, cloud metadata endpoints, or conducting reconnaissance of internal network infrastructure. CVSS score of 9.1 indicates high severity, though EPSS of 0.04% (14th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the Link Library WordPress plugin, a tool for managing and displaying collections of web links. The flaw stems from CWE-918 (Server-Side Request Forgery), where insufficient validation of user-supplied URLs allows attackers to manipulate the server into making HTTP requests to arbitrary destinations. In WordPress plugin contexts, SSRF vulnerabilities typically arise from inadequate input sanitization in features that fetch remote content, such as link validation, RSS feed parsing, or thumbnail generation. The attacker can leverage the server's trusted position to access resources that would be unreachable from external networks, including localhost services (127.0.0.1), internal network hosts (RFC1918 addresses), or cloud provider metadata APIs (169.254.169.254 on AWS/Azure/GCP).

Affected ProductsAI

WordPress Link Library plugin versions from the earliest available release through version 7.8.7 are confirmed vulnerable. The plugin is identified by Patchstack vulnerability database and affects WordPress installations where Link Library is deployed. Users running any version at or below 7.8.7 should consider their installations at risk. The vulnerability was reported by audit@patchstack.com and primarily impacts WordPress site administrators who have installed this link management plugin for organizing and displaying external URLs.

RemediationAI

Upgrade WordPress Link Library plugin to version 7.8.8 or later if available, as versions through 7.8.7 are confirmed vulnerable. Verify the installed version in WordPress admin dashboard under Plugins and update immediately. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/link-library/vulnerability/wordpress-link-library-plugin-7-8-4-server-side-request-forgery-ssrf-vulnerability for vendor-specific guidance. As defense-in-depth measures, implement network egress filtering to restrict WordPress server outbound connections to only necessary external destinations, block access to cloud metadata endpoints (169.254.169.254) at firewall level, and segment WordPress infrastructure from sensitive internal networks. Monitor server logs for unusual outbound HTTP requests to internal IP ranges or metadata services.

Share

CVE-2025-68600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy