WordPress Plugin Vulnerabilities

Internal Links Manager < 2.5.3 - Missing Authorization

Description

The Internal Links Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
seo-automated-link-building
Fixed in 2.5.3

References

CVE
CVE-2025-24679
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7c9e5fb6-5a78-4890-8cc4-2b9e417ff903

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Caesar Evan Santoso
Verified
No
WPVDB ID
7eae3c65-853a-425f-9b23-f6a96867955c

Timeline

Publicly Published
2025-01-24 (about 1 year ago)
Added
2025-01-28 (about 1 year ago)
Last Updated
2025-01-28 (about 1 year ago)

Other

Published
Title
Published
2025-05-09
Title
Lead Form Data Collection to CRM < 3.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2024-01-02
Title
WooCommerce PDF Invoices < 4.3.1 - Subscriber+ Arbitrary Order Export
Published
2024-02-26
Title
Download Media <= 1.4.2 - Missing Authorization via generate_link_for_media
Published
2024-07-01
Title
Cost Calculator Builder < 3.2.13 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation
Published
2026-01-15
Title
AffiliateX 1.0.0 - 1.3.9.3 - Authenticated (Subscriber+) Missing Authorization to Stored Cross-Site Scripting via save_customization_settings