Impact
Unauthenticated SQL Injection in the Advanced 301 and 302 Redirect plugin allows an attacker to manipulate the database query string by providing unauthenticated input to the plugin’s redirection handling functions. The flaw can lead to unauthorized reading, modification, or deletion of database data, thereby compromising the confidentiality, integrity, and availability of the affected WordPress site.
Affected Systems
The vulnerability affects the Advanced 301 and 302 Redirect plugin for WordPress, released by yydevelopment. Versions 1.6.9 and earlier are impacted, while version 1.7.0 and later contain the fix.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical severity, but the EPSS score of less than 1% means the likelihood of exploitation is very low at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread use in the wild yet. Because the flaw does not require authentication, an attacker could exploit it from any web access to the site, making the risk high if the EPSS were to rise or if an active exploit appears.
OpenCVE Enrichment