Skip to main content

SurfLink WordPress Plugin EUVDEUVD-2026-43135

| CVE-2026-3552 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-vgw6-5938-gvqv
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network AJAX vector, Subscriber auth required (PR:L); A:L added over NVD's A:N because 410 injection makes legitimate pages unavailable to all visitors.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 11, 2026 - 06:01 EUVD
Analysis Generated
Jul 11, 2026 - 05:10 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 4.3

DescriptionCVE.org

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0. This is due to a missing capability check (current_user_can()) and missing nonce verification (check_ajax_referer()) in the ajax_import_410() function, while all other AJAX handlers in the same class (ajax_add_single_410, ajax_save_editted_410, ajax_delete_410, ajax_bulk_410_delete, ajax_empty_410, ajax_export_410) properly implement both authorization and nonce checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary URLs into the 410 Gone database table via the surfl_import_410 AJAX action. Injected URLs will cause the site to return HTTP 410 Gone responses to all visitors accessing those paths, potentially causing denial of service for legitimate pages and SEO damage through search engine delisting.

AnalysisAI

Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber-level WordPress account
Delivery
Craft POST to wp-admin/admin-ajax.php with action=surfl_import_410
Exploit
Supply list of legitimate site page URLs as import payload
Execution
Plugin writes URLs to 410 Gone table without authorization check
Persist
Targeted pages return HTTP 410 Gone to all visitors
Impact
Content DoS and search engine delisting achieved

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum Subscriber-level privileges - the lowest default WordPress role, typically granted to any registered user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N captures the network-accessible, low-complexity nature of exploitation but likely understates availability impact: injecting arbitrary URLs into the 410 Gone table causes those legitimate pages to return HTTP 410 Gone to every visitor, which is a functional targeted denial-of-service against specific content and a potent SEO attack vector - search engines interpret 410 as permanent removal and can delist affected pages. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free account on a target WordPress site with open registration, obtaining Subscriber-level access, then crafts a POST request to wp-admin/admin-ajax.php with action=surfl_import_410 and a payload containing a list of the site's legitimate, high-traffic page URLs. The plugin's ajax_import_410() function imports all submitted URLs into the 410 Gone table without verifying the caller's permissions, causing the site to respond with HTTP 410 Gone to every visitor attempting to access those pages. …
Remediation An upstream code fix has been committed to the SurfLink plugin repository per the changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3542304%40surflink&new=3542304%40surflink; administrators should update SurfLink to the latest version available in the WordPress plugin directory immediately, then verify the installed version post-update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy