CVE-2025-1264: 
WordPress vulnerability analysis and mitigation

CVE-2025-1264 affects the Broken Link Checker by AIOSEO WordPress plugin versions up to and including 1.2.3. The vulnerability was discovered on April 5, 2025, and involves an SQL Injection vulnerability in the 'orderBy' parameter. The plugin is widely used with over 200,000 active installations (NVD).

The vulnerability exists due to insufficient escaping on the user-supplied 'orderBy' parameter and lack of proper preparation of SQL queries. This security flaw allows authenticated attackers with Contributor-level access or higher to append additional SQL queries to existing queries. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows authenticated attackers to extract sensitive information from the WordPress database by injecting malicious SQL queries. This could potentially lead to unauthorized access to sensitive data stored in the database (NVD).

The vulnerability has been patched in version 1.2.4 of the plugin, which includes hardening of ORDER BY/LIMIT clauses for database queries. Users are advised to update to this version immediately (WordPress Plugin).