CVE-2026-7562 Overview
CVE-2026-7562 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP-Redirection plugin for WordPress in all versions up to and including 1.0.3. The plugin's admin settings form omits a nonce field, and the displayWPRedirectionManagementPage() function processes POST requests without calling check_admin_referer() or wp_verify_nonce(). Unauthenticated attackers can craft a malicious link that, when clicked by a logged-in administrator, adds, modifies, or deletes URL redirection records in the plugin's database table. The flaw maps to CWE-352: Cross-Site Request Forgery.
Critical Impact
An attacker who lures an authenticated WordPress administrator to a crafted page can silently manipulate redirection rules, enabling traffic hijacking to attacker-controlled destinations and integrity loss across the site's redirect logic.
Affected Products
- WP-Redirection plugin for WordPress, versions up to and including 1.0.3
- WordPress sites with an administrator account active during the attacker-controlled request
- Any deployment using the trunk branch of wp-redirection referenced in the WordPress plugin code repository
Discovery Timeline
- 2026-05-12 - CVE-2026-7562 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-7562
Vulnerability Analysis
The WP-Redirection plugin manages URL redirection rules through an administrative settings page rendered by displayWPRedirectionManagementPage(). This handler accepts POST submissions for adding, editing, and deleting redirection entries, but it does not validate the origin of the request. Without a server-side anti-CSRF check, the browser of an authenticated administrator becomes a confused deputy that submits attacker-supplied form data using valid session cookies. The result is silent state-changing operations against the plugin's database table.
Root Cause
The root cause is the absence of a WordPress nonce in both the rendered form and the request handler. The settings form does not emit a nonce field via wp_nonce_field(), and the receiving function does not call check_admin_referer() or wp_verify_nonce() before mutating data. The plugin therefore treats any authenticated POST request as legitimate, regardless of whether the request originated from the plugin's own admin UI. The relevant logic is referenced at line 219 and line 39 of wp-redirection.php in the tagged 1.0.3 source.
Attack Vector
Exploitation requires network access to deliver a crafted page or link and user interaction from a logged-in WordPress administrator. The attacker hosts an HTML page containing an auto-submitting form, an image tag, or JavaScript that issues a POST request to the WP-Redirection management endpoint of the target site. When the administrator visits the page in an authenticated browser session, the browser attaches the WordPress session cookies, and the server processes the redirection create, edit, or delete action. Authentication on the attacker side is not required; only the victim's active admin session is needed.
No verified exploit code is publicly available. Technical details are documented in the Wordfence vulnerability report.
Detection Methods for CVE-2026-7562
Indicators of Compromise
- Unexpected entries in the WP-Redirection plugin's database table, including unfamiliar source URLs or destination targets pointing to external domains.
- WordPress access logs showing POST requests to the WP-Redirection admin page with Referer headers from third-party domains or no Referer header at all.
- Visitor reports of unexpected redirects from legitimate site URLs to unknown external locations.
Detection Strategies
- Audit the plugin's redirection table for recently created or modified rules and compare them against an approved baseline maintained by site administrators.
- Inspect web server and WordPress logs for state-changing POST requests to wp-admin pages that lack a same-origin Referer header.
- Correlate administrator browsing activity with redirection table changes to identify mutations that did not originate from a legitimate admin workflow.
Monitoring Recommendations
- Enable WordPress audit logging to capture all changes performed by administrator accounts, including plugin settings updates.
- Monitor outbound traffic from site visitors for redirects to suspicious or newly registered domains.
- Alert on file integrity changes to wp-redirection.php and on database writes to the plugin's redirection table outside change windows.
How to Mitigate CVE-2026-7562
Immediate Actions Required
- Deactivate the WP-Redirection plugin on all affected WordPress sites until a fixed version is installed.
- Review the plugin's redirection rule table and remove any entries that cannot be attributed to a legitimate administrator action.
- Require administrators to log out of WordPress when not actively managing the site, reducing the window for CSRF exploitation.
Patch Information
No fixed version is identified in the available advisory data. Monitor the WordPress plugin repository for WP-Redirection and the Wordfence vulnerability report for a release that introduces nonce generation in the settings form and check_admin_referer() or wp_verify_nonce() validation in displayWPRedirectionManagementPage().
Workarounds
- Replace the plugin with an actively maintained redirection plugin that implements WordPress nonces on all state-changing operations.
- Restrict access to wp-admin using IP allow-listing or a web application firewall rule that blocks cross-origin POST requests to the WP-Redirection management endpoint.
- Train administrators to avoid clicking untrusted links while authenticated to WordPress and to use a dedicated browser profile for site administration.
# Example WAF rule concept: block cross-origin POSTs to the WP-Redirection admin page
# Pseudocode for an ModSecurity-style rule
SecRule REQUEST_METHOD "@streq POST" \
"chain,deny,status:403,msg:'Block cross-origin POST to WP-Redirection admin (CVE-2026-7562)'"
SecRule REQUEST_URI "@contains wp-admin" "chain"
SecRule ARGS:page "@streq wp-redirection" "chain"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://your-site.example/"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
