Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects QR Redirector: from n/a through 2.0.3.
AnalysisAI
Missing authorization in the QR Redirector WordPress plugin (versions through 2.0.3) exposes redirect management functionality to authenticated low-privileged users who lack the appropriate capability checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms any authenticated WordPress user - including subscribers or contributors - can exploit this flaw remotely without user interaction. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) and SSVC exploitation status of 'none' place this at low operational priority for most environments.
Technical ContextAI
CWE-862 (Missing Authorization) describes a failure to verify that an authenticated principal holds the required permission before executing a sensitive operation. In WordPress plugin context, this typically manifests as REST API endpoints or admin-ajax handlers that omit capability checks such as current_user_can(), allowing any logged-in user to invoke privileged functions. The CPE string cpe:2.3:a:nikki_blight:qr_redirector identifies this as the 'QR Redirector' plugin authored by Nikki Blight, installed on WordPress sites to manage QR code-to-URL redirect mappings. The integrity impact (I:L) with no confidentiality or availability impact suggests the exploitable function likely allows unauthorized modification of redirect targets - potentially enabling link hijacking within the plugin's managed QR codes.
RemediationAI
Update the QR Redirector plugin to a version beyond 2.0.3 as reported by Patchstack; however, no exact patched release version is independently confirmed from the available data - verify the latest available version via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/qr-redirector/vulnerability/wordpress-qr-redirector-plugin-2-0-3-broken-access-control-vulnerability before deploying. As a compensating control where immediate update is not possible, restrict WordPress site registration and limit low-privilege authenticated roles (subscriber, contributor) on sites where untrusted users may have accounts, reducing the pool of potential exploiters. Alternatively, temporarily deactivating the QR Redirector plugin removes the attack surface entirely at the cost of losing QR redirect functionality.
More in Qr Redirector
View allThe QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could
The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector se
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31746
GHSA-5359-frvq-63mr