CVE-2026-24632

The WordPress Delay Redirects plugin, versions up to and including 1.0.0, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and execute arbitrary JavaScript in the context of a victim's browser session.

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or visiting a crafted page [1]. The attack is initiated by a user with the required role, but successful execution depends on that user interacting with the crafted payload. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

If exploited, an attacker can inject malicious scripts that injects malicious scripts, including redirects, advertisements, or other HTML payloads, which execute when other users visit the affected site [1]. This could lead to defacement, phishing, or further compromise of the site and its visitors.

The vendor has not released a patched version; users are advised to update the plugin immediately if a fix becomes available [1]. As a workaround, consider disabling the plugin or restricting access to the vulnerable functionality may reduce risk. Given the active exploitation potential, immediate action is recommended [1].