CVE-2025-24679: 
WordPress vulnerability analysis and mitigation

The Internal Links Manager WordPress plugin version 2.5.2 and below contains a Missing Authorization vulnerability, discovered by Caesar Evan Santoso in December 2024 and publicly disclosed on January 24, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS score of 4.3 (Low severity). The security flaw stems from missing authorization, authentication, or nonce token checks in certain functions, potentially allowing unprivileged users to execute higher privileged actions. The vulnerability requires Subscriber level privileges to exploit (Patchstack).

The vulnerability has been assessed as having a low severity impact and is considered unlikely to be exploited. The broken access control issue could potentially allow unauthorized users to perform actions beyond their intended privilege level (Patchstack).

The vulnerability has been fixed in version 2.5.3 of the Internal Links Manager plugin. Users are advised to update to version 2.5.3 or later to remediate the security issue. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).