🔐 CVE Alert

CVE-2026-3552

MEDIUM 4.3

SurfLink < 2.6.0 - Missing Authorization to Authenticated (Subscriber+) 410 Gone URL Import via 'surfl_import_410' AJAX Action

CVSS Score
4.3
EPSS Score
0.2%
EPSS Percentile
12th

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0. This is due to a missing capability check (current_user_can()) and missing nonce verification (check_ajax_referer()) in the ajax_import_410() function, while all other AJAX handlers in the same class (ajax_add_single_410, ajax_save_editted_410, ajax_delete_410, ajax_bulk_410_delete, ajax_empty_410, ajax_export_410) properly implement both authorization and nonce checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary URLs into the 410 Gone database table via the surfl_import_410 AJAX action. Injected URLs will cause the site to return HTTP 410 Gone responses to all visitors accessing those paths, potentially causing denial of service for legitimate pages and SEO damage through search engine delisting.

CWE CWE-862
Vendor surflabtech
Product surflink – link manager & backup restore
Published Jul 11, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for surflabtech surflink – link manager & backup restore

Be the first to know when new medium vulnerabilities affecting surflabtech surflink – link manager & backup restore are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

surflabtech / SurfLink – Link Manager & Backup Restore
0 < 2.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/22e0060d-7852-4326-98bc-1c49bebe6205?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/surflink/trunk/includes/class-surfl-410.php#L585 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/surflink/tags/2.4.1/includes/class-surfl-410.php#L585 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/surflink/trunk/includes/class-surfl-410.php#L513 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/surflink/tags/2.4.1/includes/class-surfl-410.php#L513 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/surflink/trunk/includes/class-surfl-410.php#L32 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/surflink/tags/2.4.1/includes/class-surfl-410.php#L32 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?reponame=&old=3542304%40surflink&new=3542304%40surflink

Credits

Kazuma Matsumoto