Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable SQLi in a WordPress plugin justifies AV:N/AC:L/PR:N/UI:N; SQLi typically enables both DB read and write, so C:H and I:H, with S:U as injection stays within the DB trust boundary.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.
AnalysisAI
SQL injection in the Advanced 301 and 302 Redirect WordPress plugin (versions <= 1.6.9) allows remote unauthenticated attackers to inject arbitrary SQL queries into the underlying WordPress database. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating attacker-controlled input crosses a trust boundary. No public exploit identified at time of analysis, and EPSS data was not provided in the input.
Technical ContextAI
The affected component is a WordPress plugin (CPE yydevelopment:advanced_301_and_302_redirect) that manages HTTP 301/302 redirect rules, typically by reading and writing redirect entries to the WordPress MySQL/MariaDB database via the global $wpdb interface. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which in the WordPress plugin context almost always indicates that user-supplied input was concatenated into a database query without being passed through $wpdb->prepare() or properly sanitized via esc_sql() / sanitize_text_field(). Because the entry point is unauthenticated, the vulnerable code path is reachable via a public-facing handler such as an admin-ajax.php action with nopriv, a REST API route, or a front-end request parameter.
RemediationAI
No vendor-released patch identified at time of analysis based on the provided input; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/advanced-301-and-302-redirect/vulnerability/wordpress-advanced-301-and-302-redirect-plugin-1-6-9-sql-injection-vulnerability should be consulted for the latest fixed version, and administrators should upgrade to any release published after 1.6.9 as soon as one is available. Until a fix is confirmed, the most effective compensating control is to deactivate and remove the Advanced 301 and 302 Redirect plugin and migrate existing redirect rules to either server-level rewrites (Apache .htaccess or nginx rewrite directives) or an alternative maintained redirect plugin - accepting the operational cost of re-creating rules. If removal is not feasible, deploy a WordPress-aware WAF (such as Patchstack's vPatch, Wordfence, or a generic mod_security ruleset) tuned to block SQL metacharacters on the plugin's request handlers, and restrict access to the plugin's endpoints via IP allowlisting at the web server, noting that WAF signatures can be bypassed and IP allowlisting breaks any front-end redirect functionality that depends on the vulnerable endpoint.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36874
GHSA-4r48-pfgj-8jrr