CVE-2026-7562
Severity CVSS v4.0:
Pending analysis
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
12/05/2026
Last modified:
12/05/2026
Description
The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification (via check_admin_referer() or wp_verify_nonce()) in the displayWPRedirectionManagementPage() function before processing POST requests that add, edit, or delete URL redirection rules. This makes it possible for unauthenticated attackers to trick a logged-in administrator into clicking a crafted link, causing the attacker to create, modify, or delete redirection records in the plugin's database table without the administrator's consent.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/wp-redirection/tags/1.0.3/wp-redirection.php#L219
- https://plugins.trac.wordpress.org/browser/wp-redirection/tags/1.0.3/wp-redirection.php#L39
- https://plugins.trac.wordpress.org/browser/wp-redirection/trunk/wp-redirection.php#L219
- https://plugins.trac.wordpress.org/browser/wp-redirection/trunk/wp-redirection.php#L39
- https://www.wordfence.com/threat-intel/vulnerabilities/id/15177d1b-ef48-49e3-9bd9-34262ed2c134?source=cve