CVE-2026-7562
Cross-Site Request Forgery in WP-Redirection WordPress Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp-redirection | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP-Redirection plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0.3. This occurs because the plugin's admin settings form lacks a nonce field and does not verify any nonce before processing POST requests that add, edit, or delete URL redirection rules. As a result, an attacker can trick a logged-in administrator into clicking a malicious link, which then allows the attacker to create, modify, or delete redirection records in the plugin's database without the administrator's consent.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to manipulate URL redirection rules in the WP-Redirection plugin by tricking an administrator into performing unintended actions. This could lead to unauthorized changes in redirection behavior on the affected WordPress site, potentially redirecting users to malicious sites or disrupting normal site functionality.