Skip to main content

Advanced 301 and 302 Redirect CVE-2026-49067

| EUVDEUVD-2026-36874 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-4r48-pfgj-8jrr
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.4 CRITICAL

Unauthenticated network-reachable SQLi in a WordPress plugin justifies AV:N/AC:L/PR:N/UI:N; SQLi typically enables both DB read and write, so C:H and I:H, with S:U as injection stays within the DB trust boundary.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:38 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.

AnalysisAI

SQL injection in the Advanced 301 and 302 Redirect WordPress plugin (versions <= 1.6.9) allows remote unauthenticated attackers to inject arbitrary SQL queries into the underlying WordPress database. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating attacker-controlled input crosses a trust boundary. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

Technical ContextAI

The affected component is a WordPress plugin (CPE yydevelopment:advanced_301_and_302_redirect) that manages HTTP 301/302 redirect rules, typically by reading and writing redirect entries to the WordPress MySQL/MariaDB database via the global $wpdb interface. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which in the WordPress plugin context almost always indicates that user-supplied input was concatenated into a database query without being passed through $wpdb->prepare() or properly sanitized via esc_sql() / sanitize_text_field(). Because the entry point is unauthenticated, the vulnerable code path is reachable via a public-facing handler such as an admin-ajax.php action with nopriv, a REST API route, or a front-end request parameter.

RemediationAI

No vendor-released patch identified at time of analysis based on the provided input; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/advanced-301-and-302-redirect/vulnerability/wordpress-advanced-301-and-302-redirect-plugin-1-6-9-sql-injection-vulnerability should be consulted for the latest fixed version, and administrators should upgrade to any release published after 1.6.9 as soon as one is available. Until a fix is confirmed, the most effective compensating control is to deactivate and remove the Advanced 301 and 302 Redirect plugin and migrate existing redirect rules to either server-level rewrites (Apache .htaccess or nginx rewrite directives) or an alternative maintained redirect plugin - accepting the operational cost of re-creating rules. If removal is not feasible, deploy a WordPress-aware WAF (such as Patchstack's vPatch, Wordfence, or a generic mod_security ruleset) tuned to block SQL metacharacters on the plugin's request handlers, and restrict access to the plugin's endpoints via IP allowlisting at the web server, noting that WAF signatures can be bypassed and IP allowlisting breaks any front-end redirect functionality that depends on the vulnerable endpoint.

Share

CVE-2026-49067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy