CVE-2026-7562
MEDIUM
4,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none
Description
AI Translation Available
The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification (via check_admin_referer() or wp_verify_nonce()) in the displayWPRedirectionManagementPage() function before processing POST requests that add, edit, or delete URL redirection rules. This makes it possible for unauthenticated attackers to trick a logged-in administrator into clicking a crafted link, causing the attacker to create, modify, or delete redirection records in the plugin's database table without the administrator's consent.
352
Cross-Site Request Forgery (CSRF)
StableCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Non-Repudiation
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Bypass Protection Mechanism
Read Application Data
Modify Application Data
Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies:
Web Based, Web Server
https://plugins.trac.wordpress.org/browser/wp-redirection/tags/1.0.3/wp-redirec…
https://plugins.trac.wordpress.org/browser/wp-redirection/tags/1.0.3/wp-redirec…
https://plugins.trac.wordpress.org/browser/wp-redirection/trunk/wp-redirection.…
https://plugins.trac.wordpress.org/browser/wp-redirection/trunk/wp-redirection.…
https://www.wordfence.com/threat-intel/vulnerabilities/id/15177d1b-ef48-49e3-9b…