CVE-2026-7561: WordPress Redirection Plugin CSRF Vulnerability

CVE-2026-7561 Overview

CVE-2026-7561 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Tm – WordPress Redirection plugin for WordPress in all versions up to and including 1.2. The flaw stems from missing or incorrect nonce validation on a plugin function within tm-redirect.php. Unauthenticated attackers can update plugin settings and inject malicious web scripts by tricking a site administrator into clicking a crafted link. Successful exploitation requires user interaction and leverages the administrator's authenticated session to perform unauthorized state-changing actions. The vulnerability is tracked under [CWE-352] and impacts confidentiality and integrity at low levels with no direct availability impact.

Critical Impact

Attackers can inject malicious scripts and modify plugin settings on vulnerable WordPress sites by tricking administrators into clicking a forged request link.

Affected Products

• Tm – WordPress Redirection plugin versions up to and including 1.2
• WordPress sites with the affected plugin installed and activated
• Administrator accounts on sites running the vulnerable plugin

Discovery Timeline

• 2026-05-12 - CVE-2026-7561 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-7561

Vulnerability Analysis

The vulnerability resides in the Tm – WordPress Redirection plugin's settings handling logic. The plugin exposes administrative functions that change configuration state but fail to verify a WordPress nonce token on incoming requests. Without nonce validation, the server cannot confirm that a request originated from an authenticated administrator's intentional action within the WordPress dashboard.

An attacker hosts a crafted HTML page or link containing a forged request targeting the plugin's settings endpoint. When an authenticated administrator visits the attacker-controlled page, the browser automatically submits the request using the administrator's session cookies. The plugin processes the request as legitimate and writes attacker-supplied values into stored settings.

Because the injected values are reflected into pages rendered to site visitors, the attacker can also store malicious JavaScript, escalating CSRF into stored Cross-Site Scripting. The affected code paths are referenced at lines 168, 265, and 308 of tm-redirect.php in both the tags/1.2 and trunk branches of the plugin source.

Root Cause

The root cause is missing or incorrect nonce validation [CWE-352]. WordPress provides wp_verify_nonce() and check_admin_referer() to bind state-changing requests to a specific user session. The plugin's settings handlers omit these checks, allowing any cross-origin request to mutate plugin state when an administrator's browser is authenticated.

Attack Vector

Exploitation requires no privileges on the target site but does require user interaction from an administrator. The attacker delivers a malicious link through phishing, a comment, a forum post, or an embedded resource. When the administrator follows the link, the forged request executes within their authenticated context, persisting attacker-controlled script content into plugin settings that later render to visitors.

No exploitation code example is available. See the Wordfence Vulnerability Report and the WordPress Redirect Plugin Code for technical details.

Detection Methods for CVE-2026-7561

Indicators of Compromise

• Unexpected modifications to Tm – WordPress Redirection plugin settings in the WordPress database wp_options table
• Outbound requests from administrator browsers to unfamiliar domains immediately preceding setting changes
• Presence of <script> tags or JavaScript payloads inside stored plugin configuration values
• Web server access logs showing POST requests to the plugin's settings endpoint with an external Referer header

Detection Strategies

• Monitor WordPress audit logs for changes to plugin options without a corresponding administrator session in the dashboard
• Inspect rendered redirect pages for unexpected inline script content or unauthorized destination URLs
• Compare plugin option values against a known-good baseline using file integrity and database integrity tooling

Monitoring Recommendations

• Enable a WordPress security audit plugin to log option changes and administrator actions
• Forward web server access logs to a centralized log platform and alert on POST requests to plugin endpoints with foreign referrers
• Track administrator browser activity for visits to untrusted external sites in close proximity to backend changes

How to Mitigate CVE-2026-7561

Immediate Actions Required

• Deactivate the Tm – WordPress Redirection plugin until a patched version is available
• Audit current plugin settings for injected scripts or unauthorized redirect targets and restore clean values
• Force a password reset and session invalidation for all WordPress administrator accounts
• Review web server and WordPress logs for prior exploitation attempts targeting tm-redirect.php

Patch Information

No fixed version is identified in the NVD record at the time of publication. Administrators should monitor the WordPress plugin repository and the Wordfence Vulnerability Report for an update beyond version 1.2 that introduces nonce validation on the affected handlers.

Workarounds

• Remove or deactivate the plugin and replace it with a maintained redirection plugin that implements CSRF protection
• Restrict administrator dashboard access by IP allow-listing through web server or WAF rules
• Require administrators to use a dedicated browser profile for WordPress administration to limit cross-site request exposure
• Deploy a web application firewall rule that blocks POST requests to the plugin endpoint when the Referer header is missing or external