Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network AJAX vector, Subscriber auth required (PR:L); A:L added over NVD's A:N because 410 injection makes legitimate pages unavailable to all visitors.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0. This is due to a missing capability check (current_user_can()) and missing nonce verification (check_ajax_referer()) in the ajax_import_410() function, while all other AJAX handlers in the same class (ajax_add_single_410, ajax_save_editted_410, ajax_delete_410, ajax_bulk_410_delete, ajax_empty_410, ajax_export_410) properly implement both authorization and nonce checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary URLs into the 410 Gone database table via the surfl_import_410 AJAX action. Injected URLs will cause the site to return HTTP 410 Gone responses to all visitors accessing those paths, potentially causing denial of service for legitimate pages and SEO damage through search engine delisting.
AnalysisAI
Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum Subscriber-level privileges - the lowest default WordPress role, typically granted to any registered user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N captures the network-accessible, low-complexity nature of exploitation but likely understates availability impact: injecting arbitrary URLs into the 410 Gone table causes those legitimate pages to return HTTP 410 Gone to every visitor, which is a functional targeted denial-of-service against specific content and a potent SEO attack vector - search engines interpret 410 as permanent removal and can delist affected pages. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free account on a target WordPress site with open registration, obtaining Subscriber-level access, then crafts a POST request to wp-admin/admin-ajax.php with action=surfl_import_410 and a payload containing a list of the site's legitimate, high-traffic page URLs. The plugin's ajax_import_410() function imports all submitted URLs into the 410 Gone table without verifying the caller's permissions, causing the site to respond with HTTP 410 Gone to every visitor attempting to access those pages. … |
| Remediation | An upstream code fix has been committed to the SurfLink plugin repository per the changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3542304%40surflink&new=3542304%40surflink; administrators should update SurfLink to the latest version available in the WordPress plugin directory immediately, then verify the installed version post-update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43135
GHSA-vgw6-5938-gvqv