CVE-2026-7562

EUVD-2026-29417

12.05.2026, 09:16

The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification (via check_admin_referer() or wp_verify_nonce()) in the displayWPRedirectionManagementPage() function before processing POST requests that add, edit, or delete URL redirection rules. This makes it possible for unauthenticated attackers to trick a logged-in administrator into clicking a crafted link, causing the attacker to create, modify, or delete redirection records in the plugin's database table without the administrator's consent.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://plugins.trac.wordpress.org/browser/wp-redirection/tags/1.0.3/wp-redirection.php#L219

https://plugins.trac.wordpress.org/browser/wp-redirection/tags/1.0.3/wp-redirection.php#L39

https://plugins.trac.wordpress.org/browser/wp-redirection/trunk/wp-redirection.php#L219

https://plugins.trac.wordpress.org/browser/wp-redirection/trunk/wp-redirection.php#L39

https://www.wordfence.com/threat-intel/vulnerabilities/id/15177d1b-ef48-49e3-9bd9-34262ed2c134?source=cve