CVE-2025-6838 MEDIUM

CVE-2025-6838: Broken Link Notifier <= 1.3.0 - Authenticated (Contributor+) CSV Injection

Vendor Apos37
Product Broken Link Notifier
Weakness CWE-1236
Published July 11, 2025
Last update April 8, 2026

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. This makes it possible for authenticated attackers, with Contributor-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Explanation of Vulnerability in Simple Terms

02Summary

Broken Link Notifier versions 1.3.0 and earlier contain an integrity issue that allows a low-privileged user to modify content when they visit a malicious link. The vulnerability requires user interaction and affects the scope beyond the vulnerable component. No confidentiality or availability impact occurs.

What an attacker can do

03Attacker Capabilities

Modify site content if a low-privileged user clicks a malicious link.

Potential impact on your site

04Site Impact

Site content could be altered by attackers targeting low-privilege users.

Conditions required to exploit

05Prerequisites

Low-privilege account access; victim must click attacker-supplied link.

Key dates

06Disclosure timeline

July 11, 2025 CVE published
April 8, 2026 Record updated