CVE-2025-4047 is a security vulnerability identified in the Broken Link Checker plugin for WordPress, developed by wpmudev. The vulnerability stems from a missing authorization check (CWE-862) in two AJAX functions: ajax_full_status and ajax_dashboard_status. These functions fail to verify whether the requesting user has the appropriate capabilities before disclosing the plugin's status information. As a result, any authenticated user with Subscriber-level access or higher can exploit this flaw to access potentially sensitive plugin status data that should otherwise be restricted. The vulnerability affects all versions of the plugin up to and including version 2.4.4. The CVSS v3.1 base score is 4.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and privileges at the level of an authenticated user (PR:L). No user interaction is required (UI:N), and the impact is limited to confidentiality (C:L) without affecting integrity or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability does not allow privilege escalation or code execution but could enable unauthorized disclosure of plugin operational data, which might aid attackers in reconnaissance or further targeted attacks.

For European organizations using WordPress sites with the Broken Link Checker plugin, this vulnerability poses a moderate risk. Although the direct impact is limited to unauthorized disclosure of plugin status information, such data could reveal insights into site structure, plugin configurations, or operational states that attackers might leverage for more sophisticated attacks. Organizations with multiple user roles, including subscribers or contributors, are particularly at risk since these lower-privileged users can access information beyond their intended scope. This could be exploited in insider threat scenarios or by compromised accounts. The impact is primarily on confidentiality, with no direct effect on data integrity or site availability. However, the information leakage could facilitate social engineering or targeted phishing campaigns against European entities. Given the widespread use of WordPress across Europe for business, governmental, and non-profit websites, the vulnerability could have broad implications if left unmitigated.

European organizations should immediately verify if their WordPress installations use the Broken Link Checker plugin, particularly versions up to 2.4.4. Since no official patch links are provided yet, administrators should consider the following steps: 1) Restrict plugin usage to trusted users only, minimizing the number of Subscriber-level or higher accounts; 2) Implement strict role-based access controls and audit user permissions to ensure minimal privilege; 3) Employ Web Application Firewalls (WAFs) to monitor and block suspicious AJAX requests targeting the vulnerable functions; 4) Temporarily disable or remove the Broken Link Checker plugin if it is not essential; 5) Monitor logs for unusual access patterns to ajax_full_status and ajax_dashboard_status endpoints; 6) Stay alert for vendor updates or patches and apply them promptly once available; 7) Educate users about the risks of account compromise and enforce strong authentication mechanisms to reduce the risk of unauthorized access. These targeted mitigations go beyond generic advice by focusing on access control, monitoring, and temporary risk reduction until a patch is released.