CVE-2026-7561
Cross-Site Request Forgery in Tm WordPress Redirection Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tm | wordpress_redirection | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Tm β WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.2.
This vulnerability exists because of missing or incorrect nonce validation on a function within the plugin.
As a result, unauthenticated attackers can trick a site administrator into performing an action, such as clicking on a malicious link, which allows the attacker to update settings and inject malicious web scripts via a forged request.
How can this vulnerability impact me? :
This vulnerability can allow attackers to update plugin settings and inject malicious scripts without authentication.
If an attacker successfully exploits this, it could lead to unauthorized changes on your WordPress site and potentially compromise site security.
The injected malicious scripts could be used to perform further attacks such as stealing user data or hijacking user sessions.