CVE-2025-9949

Vulnerability

Overview The Internal Links Manager plugin for WordPress, up to version 3.0.1, is vulnerable to Cross-Site Request Forgery (CSRF) in its link deletion functionality. The root cause is missing or incorrect nonce validation within the process_bulk_action() function, which handles bulk operations on SEO links [1]. This CSRF flaw allows an attacker to forge requests that delete links without the administrator's consent.

Exploitation

Prerequisites Exploitation requires tricking a logged-in site administrator into performing an action, such as clicking a malicious link or visiting a crafted page. The attacker does not need authentication, as the forged request can be delivered via social engineering or embedded in other content. The vulnerability affects all plugin versions up to and including 3.0.1 [1].

Impact

If successfully exploited, an unauthenticated attacker can delete SEO links managed by the plugin. This could disrupt the site's internal linking structure, potentially harming user experience and search engine optimization (SEO) efforts. The plugin's description emphasizes the importance of internal links for improving UX and SEO, so deletion of these links could degrade site navigation and ranking signals [1].

Mitigation

As of the publication date, users should update the plugin to a version newer than 3.0.1 if available, or apply any security patches provided by the vendor. No longer maintained? vendor. Administrators should also be cautious of unsolicited links and consider using security best practices to prevent CSRF attacks.