CVE-2025-11451 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-11451?

CVE-2025-11451 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to read arbitrary files on WordPress servers running the Auto Amazon Links plugin. Attackers can access sensitive files like configuration files, database credentials, or other system files. All WordPress sites using this plugin up to version 5.4.3 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to read arbitrary files on WordPress servers running the Auto Amazon Links plugin. Attackers can access sensitive files like configuration files, database credentials, or other system files. All WordPress sites using this plugin up to version 5.4.3 are affected.

💻 Affected Systems

Products:

Auto Amazon Links – Amazon Associates Affiliate Plugin for WordPress

Versions: All versions up to and including 5.4.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with this plugin enabled are vulnerable by default. No special configuration required.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive configuration files (like wp-config.php containing database credentials), followed by database access, privilege escalation, or lateral movement.

🟠

Likely Case

Exfiltration of sensitive configuration files, database credentials, or other sensitive data leading to site compromise or data breach.

🟢

If Mitigated

Limited impact if file permissions restrict sensitive files or if web server runs with minimal privileges, though arbitrary file reads still provide reconnaissance value.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation via public REST API endpoint makes all affected internet-facing WordPress sites vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests to the REST API endpoint with file path parameters can exploit this vulnerability. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.4.4 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/readme.txt

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Auto Amazon Links' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 5.4.4+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Block access to the vulnerable '/wp-json/wp/v2/aal_ajax_unit_loading' endpoint via web server configuration or WordPress filters.

# Apache .htaccess
RewriteEngine On
RewriteRule ^wp-json/wp/v2/aal_ajax_unit_loading - [F,L]

# Nginx configuration
location ~* ^/wp-json/wp/v2/aal_ajax_unit_loading { deny all; }

Disable plugin

all

Temporarily disable the Auto Amazon Links plugin until patched.

# WordPress CLI
wp plugin deactivate amazon-auto-links

🧯 If You Can't Patch

Implement strict file permissions (chmod 600 for sensitive files like wp-config.php)
Deploy web application firewall (WAF) rules to block requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if plugin version is 5.4.3 or lower in WordPress admin panel or via 'wp plugin list' command.

Check Version:

wp plugin list --name=amazon-auto-links --field=version

Verify Fix Applied:

Confirm plugin version is 5.4.4 or higher. Test endpoint access with curl: 'curl -X POST https://yoursite.com/wp-json/wp/v2/aal_ajax_unit_loading' should return proper error, not file contents.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to '/wp-json/wp/v2/aal_ajax_unit_loading' with file path parameters
Unusual file access patterns from web server process

Network Indicators:

POST requests to vulnerable endpoint with file traversal patterns (../, absolute paths)

SIEM Query:

web_access_logs WHERE url_path LIKE '%/wp-json/wp/v2/aal_ajax_unit_loading%' AND (request_body CONTAINS '../' OR request_body CONTAINS '/etc/' OR request_body CONTAINS 'wp-config')

📊 Metadata

CVE ID: CVE-2025-11451

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-73

EPSS Score: 0.06% exploit probability (17.9th percentile)

Published: November 11, 2025

Last Updated: November 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11451, you might also want to check these: