Description
The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloads to manipulate database queries and extract sensitive information from the WordPress database.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The 404 Redirection Manager plugin version 1.0 for WordPress has an unauthenticated SQL injection flaw that occurs when the plugin parses unsanitized user input from GET requests. An attacker can inject arbitrary SQL code, allowing them to read sensitive data, modify database records, or potentially insert malicious content that could affect site integrity. This vulnerability is classified as CWE‑89.

Affected Systems

The flaw affects the WordPress 404 Redirection Manager plugin at version 1.0. Any WordPress site that has installed this plugin without applying a patch is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity flaw. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers can trigger the injection remotely by sending crafted GET requests to the plugin’s endpoints, with no authentication required. If exploited, the attacker can execute arbitrary SQL queries against the WordPress database, leading to data exposure or manipulation.

Generated by OpenCVE AI on June 16, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 404 Redirection Manager plugin to the latest version or uninstall it if no longer needed.
  • If upgrading is not immediately possible, disable GET query handling or implement strict input validation to reject SQL keywords, and enforce use of prepared statements.
  • Apply overall WordPress security hardening: keep core and other plugins updated, use a Web Application Firewall to block SQL injection patterns, and monitor database logs for abnormal queries.

Generated by OpenCVE AI on June 16, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloads to manipulate database queries and extract sensitive information from the WordPress database.
Title WordPress 404 Redirection Manager Plugin 1.0 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T14:51:51.754Z

Reserved: 2026-06-15T11:37:01.880Z

Link: CVE-2016-20071

cve-icon Vulnrichment

Updated: 2026-06-15T14:51:48.495Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:30.223

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:15:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')