CVE-2025-6838: 
WordPress vulnerability analysis and mitigation

The Broken Link Notifier plugin for WordPress contains a CSV Injection vulnerability (CVE-2025-6838) affecting all versions up to and including 1.3.0. The vulnerability was discovered and disclosed on July 11, 2025, and affects the plugin's export functionality for broken links (NVD).

The vulnerability is classified as CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) with a CVSS v3.1 base score of 4.1 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N. The issue exists in the export functionality where broken links are exported to CSV format without proper sanitization of the data (Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to embed untrusted input into exported CSV files. This can lead to code execution when these files are downloaded and opened on local systems with vulnerable configurations (NVD).

The vulnerability has been patched in version 1.3.1 of the Broken Link Notifier plugin. The fix includes proper escaping of CSV values to prevent formula injection and validation of URLs before remote requests using isurlsafe() function (WordPress Plugin Repository).