CVE-2025-28965: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-28965) was discovered in the WordPress URL Shortener plugin, affecting versions through 3.0.7. The vulnerability was reported by researcher ch4r0n and published on July 15, 2025. The issue allows unauthenticated users to access functionality that should be properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L. The issue is classified as CWE-862 (Missing Authorization) and represents a broken access control vulnerability that could allow unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability is considered highly dangerous and is expected to become mass exploited. It allows unauthorized access to functionality that should be restricted, potentially leading to confidentiality breach (Low), integrity compromise (High), and availability impact (Low) (Patchstack).

Currently, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement immediate mitigation measures (Patchstack).