Skip to main content

SEO Redirection CVE-2026-52702

| EUVDEUVD-2026-37003 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-chcp-3q6x-xgwr
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable XSS in a WordPress plugin requires victim click (UI:R); injected script crosses trust boundary into admin session (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:22 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.

AnalysisAI

Cross-site scripting in the SEO Redirection WordPress plugin (versions <= 9.17) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction such as clicking a crafted link. The flaw has a CVSS 3.1 score of 7.1 with scope-changed impact, indicating injected scripts can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

SEO Redirection is a WordPress plugin developed by wp-buy (CPE cpe:2.3:a:wp-buy:seo_redirection) used to manage URL redirects and 404 monitoring on WordPress sites. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is reflected or stored in HTML output without proper encoding or sanitization. In WordPress plugin contexts, this class of bug typically arises when GET/POST parameters or referer-style data are echoed into admin pages or front-end responses without escaping via WordPress APIs such as esc_html() or wp_kses(), enabling attacker-controlled HTML and JavaScript to be rendered in a victim's browser session.

RemediationAI

Upgrade the SEO Redirection plugin to a version newer than 9.17 once a fixed release is published; refer to the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/seo-redirection/vulnerability/wordpress-seo-redirection-plugin-9-17-cross-site-scripting-xss-vulnerability for the most current fixed-version information, as the input data does not explicitly confirm a specific patched version. If an immediate upgrade is not possible, compensating controls include deactivating the SEO Redirection plugin until a patched version is installed (trade-off: any custom redirect rules will stop functioning), deploying a Web Application Firewall rule to filter HTML/JavaScript payloads in requests to the plugin's endpoints (trade-off: may produce false positives on legitimate redirect rule entries containing special characters), and restricting access to the WordPress admin interface by IP allowlist to limit the population of users who could be socially engineered into clicking a malicious link. Patch status: No vendor-released patch version is identified in the available input data at time of analysis.

Share

CVE-2026-52702 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy