CVE-2025-67576

Vulnerability

Overview

The Simple Link Directory plugin for WordPress versions through 8.8.3 suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing users without the necessary privileges to perform actions that should be restricted to higher-level roles. This is a classic broken access control issue, where the software does not verify that the current user has the required permissions before executing a sensitive operation [1].

Exploitation

This vulnerability can be exploited without authentication, as the missing authorization check means an unauthenticated attacker can trigger the affected functionality. The Patchstack advisory notes that such vulnerabilities are frequently used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity. No special network position or prior access is required; the attacker only needs to send crafted requests to the vulnerable endpoint [1].

Impact

While the CVSS score is 5.3 (Medium) and the severity is considered low, successful exploitation could allow an attacker to perform actions that should be limited to authorized users. The exact impact depends on the specific function that lacks authorization, but it may include modifying directory entries, accessing sensitive data, or other unauthorized operations. The vulnerability does not require any user interaction or elevated privileges to exploit [1].

Mitigation

The vendor has released version 8.8.4 which addresses the missing authorization issue. Users are strongly advised to update the plugin immediately. For those unable to update, Patchstack recommends enabling auto-updates for vulnerable plugins or consulting with a hosting provider or web developer for assistance. No workarounds are documented, so updating is the only reliable fix [1].