CVE-2025-6838
📋 TL;DR
The Broken Link Notifier WordPress plugin contains a CSV injection vulnerability that allows authenticated attackers with Contributor-level access or higher to embed malicious formulas in exported CSV files. When these files are downloaded and opened in vulnerable spreadsheet applications like Excel, they can execute arbitrary code on the local system. This affects all WordPress sites using Broken Link Notifier version 1.3.0 or earlier.
💻 Affected Systems
- Broken Link Notifier WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains Contributor access, injects malicious formulas into broken link data, exports CSV files, and when administrators download and open these files in vulnerable spreadsheet software, arbitrary code executes on their local systems, potentially leading to full system compromise.
Likely Case
Attackers with legitimate Contributor accounts (or higher) inject formulas that execute commands when CSV files are opened in Excel or LibreOffice, potentially stealing credentials, installing malware, or accessing sensitive data from the administrator's workstation.
If Mitigated
With proper security controls, the impact is limited to data manipulation within the CSV file itself, as modern spreadsheet applications may prompt users before executing formulas or organizations may block macro execution by default.
🎯 Exploit Status
Exploitation requires authenticated access and social engineering to convince administrators to download and open CSV files. CSV injection techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Broken Link Notifier' and click 'Update Now'. 4. Alternatively, download version 1.3.1 from WordPress.org and manually replace the plugin files.
🔧 Temporary Workarounds
Disable CSV Export
allRemove CSV export functionality by modifying plugin files or using access controls
# Edit wp-content/plugins/broken-link-notifier/includes/export.php and comment out CSV export functions
Restrict User Roles
allLimit Contributor and higher role assignments to trusted users only
# Use WordPress role management plugins or functions to audit and restrict user capabilities
🧯 If You Can't Patch
- Disable the Broken Link Notifier plugin entirely until patching is possible
- Implement strict spreadsheet security policies: disable automatic formula execution in Excel/LibreOffice, open CSV files in text editors only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Broken Link Notifier → Version. If version is 1.3.0 or lower, the site is vulnerable.Check Version:
wp plugin list --name=broken-link-notifier --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.3.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple CSV export requests from Contributor-level users
- Unusual broken link submissions containing formula characters (=, +, -, @)
Network Indicators:
- CSV file downloads from WordPress admin area followed by unusual outbound connections from user workstations
SIEM Query:
source="wordpress" AND (event="csv_export" OR url_path="/wp-admin/admin-ajax.php") AND user_role="contributor"