CVE-2025-67962

Vulnerability

Overview The Broken Link Checker plugin for WordPress (versions up to and including 1.2.6) contains an SQL injection vulnerability due to improper neutralization of special elements used in an SQL command [1]. This flaw allows an attacker to inject arbitrary SQL queries into the database layer.

Exploitation

No authentication is required to exploit this vulnerability, making it accessible to any remote attacker. Attackers can target thousands of websites running the vulnerable plugin in mass-exploit campaigns [1]. The attack vector is network-based and requires no user interaction.

Impact

Successful exploitation could allow an attacker to directly interact with the database, including stealing sensitive information, modifying data, or potentially gaining further access to the WordPress site [1]. The CVSS v3 score is 7.6 (High), reflecting the serious risk to confidentiality, integrity, and availability.

Mitigation

The vulnerability has been patched version 1.2.7 resolves the issue [1]. Users are strongly advised to update immediately update immediately. If updating is not possible, consult a hosting provider or web developer for assistance. Auto-update features can be enabled for vulnerable plugins.