CVE-2025-6851: 
WordPress vulnerability analysis and mitigation

The Broken Link Notifier plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-6851) affecting all versions up to and including 1.3.0. The vulnerability exists in the ajaxblinks() function which calls the checkurlstatuscode() function, discovered and disclosed on July 11, 2025 (NVD).

The vulnerability allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. The CVSS v3.1 base score is rated as 7.2 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) according to Wordfence's assessment, while NIST rates it as 6.5 MEDIUM. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) (NVD).

This vulnerability can be exploited to query and modify information from internal services. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), potentially affecting confidentiality and integrity of the system (NVD).

A patch has been released in version 1.3.1 of the Broken Link Notifier plugin. The update implements URL validation before making remote requests using the isurlsafe() function. Users are strongly advised to update to version 1.3.1 immediately (WordPress Patch).