CVE-2025-67465

Vulnerability

Overview

The Simple Link Directory plugin for WordPress, versions up to and including 8.8.3, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of request origins, enabling an attacker to craft malicious requests that appear legitimate to the server.

Exploitation

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked must be tricked into clicking a crafted link, visiting a malicious page, or submitting a specially designed form while authenticated to the WordPress site [1]. No additional privileges are needed beyond the victim's existing session.

Impact

Successful CSRF attacks can force the victim to perform unintended actions under their current authentication, such as changing plugin settings, adding or deleting links, or other administrative operations [1]. This could lead to unauthorized configuration changes or data manipulation.

Mitigation

The vulnerability is patched in version 8.8.8.8.4 [1]. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended [1]. The issue is rated as low severity (CVSS 4.3) and is considered unlikely to be exploited in mass campaigns, though prompt patching is still advised.