CVE-2025-4047: 
WordPress vulnerability analysis and mitigation

The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access in versions up to and including 2.4.4. The vulnerability (CVE-2025-4047) was discovered due to a missing capability check on the ajaxfullstatus and ajaxdashboardstatus functions, which allows authenticated attackers with Subscriber-level access or higher to view the plugin's status (NVD).

The vulnerability stems from insufficient authorization controls in the plugin's AJAX functions. The issue is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 Base Score of 4.3 (MEDIUM) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability specifically affects the ajaxfullstatus and ajaxdashboardstatus functions in the plugin's core functionality (NVD, Wordfence).

The vulnerability allows authenticated users with Subscriber-level access or higher to view the plugin's status information, which should normally be restricted to users with higher privileges. This represents an unauthorized access to potentially sensitive plugin configuration data (NVD).

The issue has been addressed in subsequent versions of the plugin. Users are advised to update their Broken Link Checker plugin to a version newer than 2.4.4 to mitigate this vulnerability (WordPress Trac).