CVE-2026-7562
Description
The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification (via check_admin_referer() or wp_verify_nonce()) in the displayWPRedirectionManagementPage() function before processing POST requests that add, edit, or delete URL redirection rules. This makes it possible for unauthenticated attackers to trick a logged-in administrator into clicking a crafted link, causing the attacker to create, modify, or delete redirection records in the plugin's database table without the administrator's consent.
Affected products
2- Range: <=1.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/wp-redirection/tags/1.0.3/wp-redirection.phpnvd
- plugins.trac.wordpress.org/browser/wp-redirection/tags/1.0.3/wp-redirection.phpnvd
- plugins.trac.wordpress.org/browser/wp-redirection/trunk/wp-redirection.phpnvd
- plugins.trac.wordpress.org/browser/wp-redirection/trunk/wp-redirection.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/15177d1b-ef48-49e3-9bd9-34262ed2c134nvd
News mentions
13- The State of Ransomware – Q1 2026Check Point Research · May 11, 2026
- Megaport enhances network resilience with integrated DDoS protectionHelp Net Security · May 6, 2026
- EtherRAT Distribution Spoofing Administrative Tools via GitHub FacadesThe Hacker News · Apr 30, 2026
- Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto FraudThe Hacker News · Apr 27, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026
- 20th April – Threat Intelligence ReportCheck Point Research · Apr 20, 2026
- Redirects for AI Training enforces canonical contentCloudflare Blog · Apr 17, 2026
- Triad Nexus Expands Global Fraud Operations Despite US SanctionsInfosecurity Magazine · Apr 14, 2026
- APT28 exploit routers to enable DNS hijacking operationsNCSC UK · Apr 7, 2026
- Tycoon2FA Phishing Service Resumes Activity Post-TakedownInfosecurity Magazine · Mar 23, 2026
- 23rd March – Threat Intelligence ReportCheck Point Research · Mar 23, 2026
- ZDI-26-225: (Pwn2Own) Samsung Galaxy S25 Samsung Account Open Redirect Security Bypass VulnerabilityZero Day Initiative · Mar 23, 2026
- ZDI-26-209: (Pwn2Own) Samsung Galaxy S25 Samsung Members Open Redirect Security Bypass VulnerabilityZero Day Initiative · Mar 16, 2026