What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in mihdan Mihdan: No External Links mihdan-no-external-links allows Cross Site Request Forgery.This issue affects Mihdan: No External Links: from n/a through <= 5.1.6.2.
Explanation of Vulnerability in Simple Terms
02Summary
The Mihdan: No External Links plugin contains a cross-site request forgery (CSRF) vulnerability affecting versions up to 5.1.6.2. An attacker can craft a malicious link or page that, when visited by a logged-in site administrator, performs unwanted actions on the site without their knowledge. The vulnerability requires user interaction but no authentication from the attacker.
What an attacker can do
03Attacker Capabilities
Trick a site admin into visiting a malicious page to perform unwanted actions on the site.
Potential impact on your site
04Site Impact
An attacker can modify plugin settings or site content if an admin visits a malicious link.
Conditions required to exploit
05Prerequisites
Site admin must visit an attacker-controlled page while logged into WordPress.
Key dates
06Disclosure timeline
September 22, 2025
CVE published
April 28, 2026
Record updated