CVE-2025-10740: 
WordPress vulnerability analysis and mitigation

The URL Shortener Plugin For WordPress is affected by a vulnerability (CVE-2025-10740) discovered in versions up to 3.0.7. The vulnerability stems from a missing capability check in the verifyRequest function, which allows unauthorized access to API functionality. This security issue was disclosed on October 23, 2025 (NVD, Wordfence).

The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The security flaw exists in the API functionality of the plugin, specifically in the verifyRequest function, which lacks proper capability checks. This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify links within the system. This unauthorized access to link modification functionality could potentially lead to manipulation of existing shortened URLs, potentially redirecting users to malicious destinations (NVD).

Users should update their URL Shortener Plugin For WordPress to a version newer than 3.0.7 once available. Until then, site administrators should review and potentially restrict user roles with access to the plugin's functionality (NVD).