CVE-2026-52702

Vulnerability

The SEO Redirection plugin for WordPress versions 9.17 and earlier is vulnerable to an unauthenticated stored cross-site scripting (XSS) attack. The flaw allows an attacker to inject arbitrary JavaScript or HTML into a page without authentication. However, successful execution requires a privileged user (such as an administrator) to perform an action like clicking a link or visiting a crafted page, as the injected script is stored and later rendered in the admin interface [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted request containing malicious JavaScript to a vulnerable endpoint of the SEO Redirection plugin. No prior authentication is required. The injected payload is stored by the plugin. Exploitation is successful only when a privileged user interacts with the injected content, such as by viewing the plugin's settings page or a redirected page. The user interaction may include clicking a malicious link or visiting a specially crafted page that triggers the stored script [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of a privileged WordPress user's session. This can lead to theft of session cookies, modification of site content, injection of malicious redirects, or further site compromise. The attacker may also use the XSS to escalate privileges or inject backdoors, depending on the capabilities of the victim user [1].

Mitigation

The vulnerability is patched in version 9.18 of the SEO Redirection plugin. Users are strongly advised to update immediately. If updating is not possible, Patchstack users can enable the provided mitigation rule to block attacks. As of this writing, CVE-2026-52702 is not listed in the CISA Known Exploited Vulnerabilities catalog, but it is considered likely to be exploited in mass campaigns [1].