CVE-2026-3552
Received Received - Intake

Unauthorized Data Modification in SurfLink Ultimate Link Manager

Vulnerability report for CVE-2026-3552, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0. This is due to a missing capability check (current_user_can()) and missing nonce verification (check_ajax_referer()) in the ajax_import_410() function, while all other AJAX handlers in the same class (ajax_add_single_410, ajax_save_editted_410, ajax_delete_410, ajax_bulk_410_delete, ajax_empty_410, ajax_export_410) properly implement both authorization and nonce checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary URLs into the 410 Gone database table via the surfl_import_410 AJAX action. Injected URLs will cause the site to return HTTP 410 Gone responses to all visitors accessing those paths, potentially causing denial of service for legitimate pages and SEO damage through search engine delisting.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
surflink ultimate_link_manager to 2.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The SurfLink - Ultimate Link Manager plugin for WordPress has a vulnerability due to a missing capability check and nonce verification in the ajax_import_410() function. This means that authenticated users with Subscriber-level access or higher can import arbitrary URLs into the 410 Gone database table via the surfl_import_410 AJAX action.

Because of this, the site will return HTTP 410 Gone responses for those injected URLs, which can affect how visitors and search engines interact with the site.

Impact Analysis

This vulnerability can cause denial of service for legitimate pages on the affected website by making them return HTTP 410 Gone responses.

Additionally, it can cause SEO damage because search engines may delist the affected pages due to the 410 Gone responses.

Detection Guidance

This vulnerability involves unauthorized data modification via the ajax_import_410() function in the SurfLink - Ultimate Link Manager WordPress plugin. Detection would involve monitoring AJAX requests to the surfl_import_410 action for suspicious activity, especially from users with Subscriber-level access or above.

Since the vulnerability allows importing arbitrary URLs into the 410 Gone database table, you can check your WordPress site's database for unexpected or unauthorized entries in the 410 Gone paths.

There are no specific commands provided in the available resources to detect this vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the ajax_import_410() function by ensuring proper capability checks (current_user_can()) and nonce verification (check_ajax_referer()) are implemented.

Until a patch is available, consider disabling or removing the SurfLink - Ultimate Link Manager plugin or restricting user roles that can access the AJAX import functionality to trusted administrators only.

Monitor your site for unauthorized 410 Gone entries and remove any suspicious URLs that may have been injected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart