Skip to main content
CVE Vulnerability Database

CVE-2025-6851: Broken Link Notifier SSRF Vulnerability

CVE-2025-6851 is a Server-Side Request Forgery flaw in Pluginrx Broken Link Notifier for WordPress that enables unauthenticated attackers to make arbitrary web requests. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6851 Overview

CVE-2025-6851 is a Server-Side Request Forgery (SSRF) vulnerability in the Broken Link Notifier plugin for WordPress. The flaw affects all versions up to and including 1.3.0 and is tracked under [CWE-918]. Unauthenticated attackers can abuse the ajax_blinks() function, which invokes check_url_status_code(), to force the WordPress server to issue arbitrary HTTP requests. Attackers can use this behavior to reach internal services, enumerate metadata endpoints, and read or modify data reachable from the web application host.

Critical Impact

Unauthenticated remote attackers can pivot through affected WordPress sites to interact with internal-only network services and cloud metadata endpoints.

Affected Products

  • Pluginrx Broken Link Notifier plugin for WordPress, all versions through 1.3.0
  • WordPress sites running the broken-link-notifier component
  • Deployments exposing the plugin's AJAX endpoints to unauthenticated users

Discovery Timeline

  • 2025-07-11 - CVE-2025-6851 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6851

Vulnerability Analysis

The vulnerability resides in the plugin's AJAX handler ajax_blinks(), which forwards a user-supplied URL to check_url_status_code() without validating the destination. The helper function issues an outbound HTTP request from the WordPress process to whatever address the attacker provides. Because the AJAX endpoint does not require authentication, any remote user can trigger the request. This turns the WordPress server into a proxy for attacker-controlled traffic.

SSRF conditions like this are particularly damaging in cloud-hosted WordPress deployments. Attackers commonly target 169.254.169.254 to retrieve instance metadata, temporary IAM credentials, or user-data scripts. They can also reach internal admin panels, Redis or Elasticsearch instances, and other services that trust the local network.

Root Cause

The root cause is missing validation and allow-listing of the target URL before it is passed to the HTTP client inside check_url_status_code(). The plugin trusts attacker-controlled input for the request destination and does not restrict schemes, hostnames, or IP ranges. Loopback, link-local, and RFC1918 addresses remain reachable.

Attack Vector

Exploitation requires only network access to a vulnerable site. An attacker submits a crafted request to the plugin's AJAX endpoint with a URL parameter pointing at an internal resource. The WordPress server performs the request and, depending on plugin behavior, may return status codes or content that leak information about internal services. No authentication, user interaction, or elevated privileges are required.

No verified public proof-of-concept code is available. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-6851

Indicators of Compromise

  • Unauthenticated POST requests to admin-ajax.php with the action=blinks parameter or related ajax_blinks() handlers
  • Outbound HTTP requests from the WordPress host to internal ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.169.254
  • Repeated AJAX calls containing URL parameters pointing to non-public hostnames or unusual ports

Detection Strategies

  • Inspect WordPress access logs for high-frequency requests to wp-admin/admin-ajax.php with URL parameters targeting private addresses
  • Correlate web-tier request logs with egress firewall or VPC flow logs to identify SSRF pivot attempts originating from the WordPress host
  • Alert on the WordPress PHP process initiating connections to cloud metadata endpoints or internal management interfaces

Monitoring Recommendations

  • Enable egress logging on the host running WordPress and forward events to a centralized analytics platform
  • Track plugin file integrity for broken-link-notifier to detect tampering or unauthorized version rollbacks
  • Monitor for anomalous DNS resolutions initiated by the web server process, especially to internal or metadata hostnames

How to Mitigate CVE-2025-6851

Immediate Actions Required

  • Update the Broken Link Notifier plugin to a version later than 1.3.0 once a fixed release is available from the vendor
  • Disable or remove the plugin on sites where an updated version is not yet deployed
  • Restrict outbound network access from WordPress hosts to only required destinations, blocking loopback and link-local ranges at the egress layer
  • Enforce Instance Metadata Service v2 (IMDSv2) with hop-limit 1 on AWS-hosted WordPress instances to blunt metadata theft

Patch Information

Refer to the WordPress ChangeLog Update for the committed source change addressing the SSRF condition. Site administrators should upgrade to the patched plugin version published in the WordPress plugin repository. Confirm the installed version through the WordPress admin plugins page after applying the update.

Workarounds

  • Block requests to admin-ajax.php with action=blinks at the web application firewall for unauthenticated clients
  • Deploy egress filtering rules that deny outbound connections from the web server to 169.254.169.254, RFC1918, and loopback ranges
  • Remove or rename the plugin directory wp-content/plugins/broken-link-notifier/ until a fixed version is installed
bash
# Example WAF rule (ModSecurity) blocking unauthenticated calls to the vulnerable action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
    "chain,phase:2,deny,status:403,id:1006851,msg:'Block CVE-2025-6851 SSRF attempt'"
    SecRule ARGS:action "@streq blinks" \
        "chain"
        SecRule &REQUEST_COOKIES:wordpress_logged_in "@eq 0"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.