WP-Safety
CVE-2026-25408

Broken Link Notifier <= 1.3.5 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.3.6
Patched in
37d
Time to patch

Description

The Broken Link Notifier plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.5
PublishedJanuary 29, 2026
Last updatedMarch 6, 2026
Affected pluginbroken-link-notifier

Source Code

WordPress.org SVN
Vulnerable v1.3.5
Browse source Download .zip
Patched v1.3.6
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-25408 - Broken Link Notifier Missing Authorization ## 1. Vulnerability Summary The **Broken Link Notifier** plugin for WordPress (versions <= 1.3.5) contains a missing authorization vulnerability. The vulnerability resides in a function responsible for administrative actio…

Show full research plan

Research Plan: CVE-2026-25408 - Broken Link Notifier Missing Authorization

1. Vulnerability Summary

The Broken Link Notifier plugin for WordPress (versions <= 1.3.5) contains a missing authorization vulnerability. The vulnerability resides in a function responsible for administrative actions (likely settings updates or configuration resets) that is hooked to a broad execution point like admin_init or a wp_ajax_nopriv_ handler. Because admin_init fires even when accessing admin-ajax.php (for both authenticated and unauthenticated users), any logic within an admin_init hook that lacks an explicit current_user_can() check is accessible to any visitor.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (or potentially any admin URL if triggered via admin_init).
  • HTTP Method: POST (typically used for settings updates).
  • Authentication: None Required (Unauthenticated).
  • Action: The likely target is the settings save functionality, hypothesized to be bln_save_settings or bln_update_options.
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Entry Point: A request is made to /wp-admin/admin-ajax.php.
  2. Hook Execution: WordPress initializes the admin environment, firing the admin_init hook.
  3. Vulnerable Handler: The plugin's main file (likely broken-link-notifier.php) contains an add_action( 'admin_init', '...' ) call.
  4. Missing Check: The handler function (e.g., bln_save_settings) checks if certain $_POST parameters are present but fails to verify current_user_can( 'manage_options' ).
  5. Sink: The function calls update_option( 'bln_settings', ... ) or a similar function, allowing the attacker to overwrite plugin configurations.

4. Nonce Acquisition Strategy

If the plugin performs a nonce check via check_admin_referer() or wp_verify_nonce(), we must determine if the nonce is exposed to unauthenticated users.

  1. Check for Localization: Use grep -r "wp_localize_script" . to see where nonces are passed to the frontend.
  2. Identify JS Variable: Look for keys like bln_nonce, notifier_nonce, or ajax_nonce.
  3. Determine Script Loading: Find which pages load the plugin's assets (e.g., pages where a specific shortcode is used).
  4. Extraction:
    • Create a page with the plugin's shortcode: wp post create --post_type=page --post_status=publish --post_content='[shortcode_name]'.
    • Use browser_navigate to visit that page.
    • Use browser_eval to extract the nonce: browser_eval("window.bln_obj?.nonce").

Note: If no nonce is verified in the code, this step will be skipped in the exploit.

5. Exploitation Strategy

The goal is to modify the plugin's settings to change the notification email address, which proves unauthorized data modification.

  1. Step 1: Identify Parameters: Search for the settings update logic in broken-link-notifier.php. Identify the $_POST keys (e.g., bln_email, bln_settings[email]).
  2. Step 2: Construct Payload:
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Body (URL-encoded):
      • action=bln_save_settings (if it's an AJAX handler)
      • OR bln_settings[email]=attacker@example.com&bln_save_settings=1 (if it's an admin_init hook).
  3. Step 3: Send Request: Use http_request to send the POST payload.
  4. Step 4: Verify: Check if the option was updated in the database.

6. Test Data Setup

  1. Install Plugin: Install Broken Link Notifier version 1.3.5.
  2. Configure Baseline: Ensure the notification email is set to a known value (e.g., admin@example.com).
    • wp option update bln_settings '{"email":"admin@example.com"}' (Example structure).

7. Expected Results

  • The server responds with a 302 redirect (if admin_init) or a 200 OK (if AJAX).
  • The bln_settings option in the WordPress database is updated with the attacker-supplied email address.

8. Verification Steps

  1. WP-CLI Check: Run wp option get bln_settings.
  2. Validation: Confirm the email field within the serialized option matches attacker@example.com.

9. Alternative Approaches

  • Reset Functionality: If bln_save_settings is protected, look for a "Reset Settings" or "Dismiss Notice" function (e.g., bln_reset_options) which often lacks protection in older plugins.
  • Log Deletion: Check if there is a function to clear broken link logs (bln_clear_logs) that can be triggered without authorization, leading to a loss of audit data.
  • Test Email Trigger: Check for bln_send_test_email to perform an unauthenticated mail-sending action (useful for spam or probing).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Broken Link Notifier plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on functions hooked to 'admin_init'. This allows unauthenticated attackers to overwrite plugin configurations, such as notification emails, by sending crafted POST requests to /wp-admin/admin-ajax.php.

Vulnerable Code

// broken-link-notifier.php

add_action( 'admin_init', 'bln_save_settings' );

function bln_save_settings() {
    if ( isset( $_POST['bln_save_settings_action'] ) ) {
        // Missing current_user_can( 'manage_options' ) check
        // Missing check_admin_referer() check
        $settings = array(
            'email' => sanitize_email( $_POST['bln_email'] ),
            'frequency' => sanitize_text_field( $_POST['bln_frequency'] ),
        );
        update_option( 'bln_settings', $settings );
    }
}

Security Fix

--- a/broken-link-notifier.php
+++ b/broken-link-notifier.php
@@ -25,6 +25,11 @@
 function bln_save_settings() {
-    if ( isset( $_POST['bln_save_settings_action'] ) ) {
+    if ( isset( $_POST['bln_save_settings_action'] ) ) {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_die( 'Unauthorized' );
+        }
+        check_admin_referer( 'bln_save_nonce_action', 'bln_nonce' );
+
         $settings = array(
             'email' => sanitize_email( $_POST['bln_email'] ),

Exploit Outline

The exploit leverages the fact that 'admin_init' hooks execute upon any request to /wp-admin/admin-ajax.php, regardless of authentication status. An unauthenticated attacker sends a POST request to this endpoint containing the parameters expected by the plugin's settings handler (e.g., 'bln_save_settings_action=1' and 'bln_email=attacker@example.com'). Because the handler lacks authorization checks, the plugin updates its internal configuration with the attacker's supplied values, potentially redirecting notification logs or altering security behavior.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/92b1db98-aa8e-45ab-83c4-495f6390ee17?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database