CVE-2026-49067

Vulnerability

The Advanced 301 and 302 Redirect plugin for WordPress versions up to and including 1.6.9 contains an unauthenticated SQL injection vulnerability. The plugin fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling an attacker to inject arbitrary SQL commands without any prior authentication [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the plugin's endpoints. No authentication or user interaction is required, and the attack can be performed remotely. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to directly interact with the database, including reading, modifying, or deleting data. This could lead to theft of sensitive information such as user credentials, personal data, and site configuration, potentially compromising the entire WordPress installation [1].

Mitigation

The vulnerability is fixed in version 1.7.0 of the plugin. Users are strongly advised to update to this version or later immediately. If updating is not possible, Patchstack offers a mitigation rule to block attacks until the update can be applied [1].