CVE-2021-25093 – The Link Library WordPress plugin before versio... (How to Fix)

Q: What is the severity of CVE-2021-25093?

CVE-2021-25093 has a CVSS score of 7.5 (HIGH). The Link Library WordPress plugin before version 7.2.8 has an authorization vulnerability that allows unauthenticated users to delete arbitrary links via crafted requests. This affects all WordPress sites running vulnerable versions of the plugin. Attackers can delete important links without requiring any authentication.

📋 TL;DR

The Link Library WordPress plugin before version 7.2.8 has an authorization vulnerability that allows unauthenticated users to delete arbitrary links via crafted requests. This affects all WordPress sites running vulnerable versions of the plugin. Attackers can delete important links without requiring any authentication.

💻 Affected Systems

Products:

Link Library WordPress plugin

Versions: All versions before 7.2.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with Link Library plugin installed and activated.

📦 What is this software?

Link Library by Ylefebvre

View all CVEs affecting Link Library →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers delete all links including critical navigation, affiliate, or resource links, causing website functionality disruption and potential business impact.

🟠

Likely Case

Attackers delete random or targeted links, causing broken navigation and user experience issues on affected WordPress sites.

🟢

If Mitigated

No impact if plugin is patched or proper access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.2.8

Vendor Advisory: https://wpscan.com/vulnerability/7a7603ce-d76d-4c49-a886-67653bed8cd3

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Link Library plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 7.2.8+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Link Library plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate link-library

Web Application Firewall rule

all

Block unauthorized link deletion requests at WAF level.

🧯 If You Can't Patch

Implement strict network access controls to limit plugin access to trusted IPs only.
Monitor and alert on unauthorized link deletion attempts in WordPress logs.

🔍 How to Verify

Check if Vulnerable:

Check Link Library plugin version in WordPress admin panel under Plugins.

Check Version:

wp plugin get link-library --field=version

Verify Fix Applied:

Confirm plugin version is 7.2.8 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated POST requests to link deletion endpoints
Multiple link deletion events from single IP

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=delete_link from unauthenticated sources

SIEM Query:

source="wordpress.log" AND "action=delete_link" AND NOT user_id=*

📊 Metadata

CVE ID: CVE-2021-25093

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

Published: February 1, 2022

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/7a7603ce-d76d-4c49-a886-67653bed8cd3 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/7a7603ce-d76d-4c49-a886-67653bed8cd3 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25093, you might also want to check these: