CVE-2025-7507 MEDIUM

CVE-2025-7507: elink – Embed Content <= 1.1.0 - Authenticated (Contributor+) Insufficient Input Validation

Vendor Elinkcontent
Product elink – Embed Content
Weakness CWE-20 · Input validation
Published August 15, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

The elink – Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to supply an HTML file that can be leverged to redirect users to a malicious domain.

Key dates

02Disclosure timeline

August 15, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-39410 Hono has a non-breaking space prefix bypass in cookie name handling in getCookie() CVE-2022-31041 Insufficient content-type validation for uploaded files in open-forms CVE-2023-47161 IBM UrbanCode Deploy denial of service CVE-2019-1886 Cisco Web Security Appliance HTTPS Certificate Denial of Service Vulnerability CVE-2023-4481 Junos OS and Junos OS Evolved: A crafted BGP UPDATE message allows a remote attacker to de-peer (reset) BGP sessions (CVE-2023-4481)