CVE-2025-1264
Description
The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to SQL Injection via the 'orderBy' parameter in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Broken Link Checker by AIOSEO plugin for WordPress up to 1.2.3 is vulnerable to SQL injection via the 'orderBy' parameter, allowing authenticated attackers to extract sensitive database information.
The Broken Link Checker by AIOSEO plugin for WordPress (versions up to 1.2.3) suffers from a SQL injection vulnerability in the 'orderBy' parameter [1]. The plugin fails to properly escape user-supplied input and does not prepare SQL statements, allowing attackers to modify existing queries.
To exploit this, an attacker must be authenticated with at least Contributor-level access. By manipulating the 'orderBy' parameter in a request, they can append additional SQL queries to the original query, leading to injection.
Successful exploitation enables the attacker to extract sensitive information from the database, such as usernames, passwords, or other confidential data. The attack does not require any special privileges beyond Contributor, making it a medium severity risk.
As of the publication date, no patch has been released. Users are advised to disable the plugin or restrict access to trusted users until an update is available.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/broken-link-checker-seo/trunk/app/Api/Api.phpnvd
- plugins.trac.wordpress.org/browser/broken-link-checker-seo/trunk/app/Api/LinkStatusTable.phpnvd
- plugins.trac.wordpress.org/browser/broken-link-checker-seo/trunk/app/Core/Database.phpnvd
- plugins.trac.wordpress.org/browser/broken-link-checker-seo/trunk/app/Core/Database.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/broken-link-checker-seonvd
- www.wordfence.com/threat-intel/vulnerabilities/id/ce2d582e-4f50-4b55-9f3b-3c46d96c0927nvd
News mentions
0No linked articles in our index yet.