Description
Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated SQL Injection in the Advanced 301 and 302 Redirect plugin allows an attacker to manipulate the database query string by providing unauthenticated input to the plugin’s redirection handling functions. The flaw can lead to unauthorized reading, modification, or deletion of database data, thereby compromising the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The vulnerability affects the Advanced 301 and 302 Redirect plugin for WordPress, released by yydevelopment. Versions 1.6.9 and earlier are impacted, while version 1.7.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, but the EPSS score of less than 1% means the likelihood of exploitation is very low at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread use in the wild yet. Because the flaw does not require authentication, an attacker could exploit it from any web access to the site, making the risk high if the EPSS were to rise or if an active exploit appears.

Generated by OpenCVE AI on June 18, 2026 at 00:31 UTC.

Remediation

Vendor Solution

Update the WordPress Advanced 301 and 302 Redirect Plugin to the latest available version (at least 1.7.0).


OpenCVE Recommended Actions

  • Update the Advanced 301 and 302 Redirect plugin to version 1.7.0 or newer
  • Ensure the plugin is the latest release by checking the WordPress plugin repository
  • Enforce least privilege for the database user used by WordPress so even if injection succeeds, damage is limited
  • Review site logs for suspicious SQL activity and apply network or WAF rules to block malformed requests

Generated by OpenCVE AI on June 18, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yydevelopment
Yydevelopment advanced 301 And 302 Redirect
Vendors & Products Wordpress
Wordpress wordpress
Yydevelopment
Yydevelopment advanced 301 And 302 Redirect

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.
Title WordPress Advanced 301 and 302 Redirect plugin <= 1.6.9 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Wordpress Wordpress
Yydevelopment Advanced 301 And 302 Redirect
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:19:39.239Z

Reserved: 2026-05-27T10:26:54.457Z

Link: CVE-2026-49067

cve-icon Vulnrichment

Updated: 2026-06-16T01:19:34.732Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:19.530

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:44Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')