CVE-2025-62122
Lifecycle Timeline
2Description
Missing Authorization vulnerability in solwininfotech Trash Duplicate and 301 Redirect trash-duplicate-and-301-redirect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trash Duplicate and 301 Redirect: from n/a through <= 1.9.1.
Analysis
Missing authorization in the Trash Duplicate and 301 Redirect WordPress plugin through version 1.9.1 allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication checks to access or modify restricted functionality. The vulnerability stems from improper enforcement of WordPress capability checks (CWE-862), and while no public exploit code has been identified, the low EPSS score (0.06%) suggests limited real-world exploitation likelihood despite the authorization flaw.
Technical Context
The vulnerability resides in the Trash Duplicate and 301 Redirect WordPress plugin, which provides functionality for managing duplicate content and HTTP 301 redirects within WordPress sites. WordPress plugins interact with the WordPress permission system through capability checks and nonce verification. CWE-862 (Missing Authorization) indicates that the plugin fails to properly validate user roles or capabilities before allowing access to sensitive functions. This typically occurs when plugin code executes actions without calling appropriate WordPress functions like `current_user_can()` or without verifying nonces on forms and AJAX endpoints. The affected component uses improper access control security levels, meaning functions that should be restricted to administrators or editors are either missing checks entirely or rely on easily-bypassed client-side validation.
Affected Products
The vulnerability affects the Trash Duplicate and 301 Redirect WordPress plugin (CPE not provided by vendor) in versions from an unspecified baseline through version 1.9.1. The plugin is hosted on the WordPress plugin repository at wordpress.org/plugins/trash-duplicate-and-301-redirect. Additional details and vendor advisory information are available at https://patchstack.com/database/Wordpress/Plugin/trash-duplicate-and-301-redirect/vulnerability/wordpress-trash-duplicate-and-301-redirect-plugin-1-9-1-broken-access-control-vulnerability?_s_id=cve.
Remediation
Update the Trash Duplicate and 301 Redirect plugin to a version newer than 1.9.1 immediately. Users should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate 'Trash Duplicate and 301 Redirect', and click 'Update Now' if a patched version is available in the WordPress plugin repository. If no update is available in the dashboard, disable the plugin until a patched version is released by solwininfotech. Review the plugin's Patchstack advisory at the reference URL for confirmation of the patched version number and any additional security guidance. As an interim mitigation, restrict plugin access via WordPress role management and monitor for unauthorized access attempts if the plugin must remain active.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today