WP-Safety

Redirection Security & Risk Analysis

wordpress.org/plugins/redirect-redirection

Redirection

100K active installs v1.2.9 PHP 5.6+ WP 4.6+ Updated Mar 5, 2026
301404redirectredirectionredirects
99
A · Safe
CVEs total27
Unpatched0
Last CVEMar 21, 2023
Plugin page Download
Safety Verdict

Is Redirection Safe to Use in 2026?

Generally Safe

Score 99/100

Redirection has a strong security track record. Known vulnerabilities have been patched promptly.

27 known CVEsLast CVE: Mar 21, 2023Updated 28d ago
Risk Assessment

The "redirect-redirection" plugin v1.2.9 presents a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and a significant number of nonce and capability checks, several concerning aspects emerge from the static analysis. The presence of one AJAX handler without authentication checks is a direct entry point for potential unauthorized actions, even if no critical taint flows were identified. The high number of total AJAX handlers (28) further amplifies this concern, as a single oversight can lead to vulnerabilities.

The plugin's vulnerability history is a significant red flag. With 27 known medium-severity CVEs, even though none are currently unpatched, it indicates a recurring pattern of security weaknesses, particularly in CSRF and missing authorization. This suggests that while past vulnerabilities may have been addressed, the underlying codebase might still be susceptible to similar issues. The fact that all past CVEs were medium severity might imply that while not critical, they were significant enough to warrant patching and represent a history of less than ideal security implementation.

In conclusion, while the plugin has some strengths in its use of prepared statements and checks, the unprotected AJAX handler, coupled with a history of numerous medium-severity vulnerabilities, points to a moderate overall security risk. Diligent review and potentially refactoring of authentication mechanisms for all entry points would be beneficial to improve its security.

Key Concerns

  • AJAX handler without auth checks
  • High number of medium CVEs historically
  • Low percentage of properly escaped output
  • Use of unserialize function
Vulnerabilities
27

Redirection Security Vulnerabilities

CVEs by Year

27 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
27

27 total CVEs

CVE-2023-1331medium · 5.4Cross-Site Request Forgery (CSRF)

Redirection <= 1.1.4 - Cross-Site Request Forgery to Plugin Reset

Mar 21, 2023 Patched in 1.1.5 (308d)
WF-7d500729-3b1a-4ece-81de-4c1f9afbf798-redirect-redirectionmedium · 5.4Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.4 - Cross-Site Request Forgery to Plugin De-Installation

Mar 14, 2023 Patched in 1.1.5 (315d)
WF-8250434a-2fad-4f44-9813-90e734d32d2e-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'LoadTab' function

Feb 22, 2023 Patched in 1.1.4 (335d)
CVE-2023-1330medium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'addRedirect' function

Feb 22, 2023 Patched in 1.1.4 (335d)
WF-0bde3052-ae8e-4434-962a-88d3c8328a9c-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'redirectionPageContent' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-140a6fd3-e446-44ea-94eb-9c8d12f7b7ed-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'addRedirect' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-1c22717f-494e-4f62-9691-ee5a3366a487-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'deleteRedirect' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-29333999-ffe3-4cd0-a537-be98168cb2ee-redirect-redirectionmedium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'SaveSettings' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-4c953a46-d2ae-41f7-a940-d23b011d9eca-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'SaveSettings' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-53667fd6-0d12-400d-b3a1-7cee305a2bc2-redirect-redirectionmedium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'bulkDelete' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-5d1d012a-46cd-4c86-ac6f-993736a91acb-redirect-redirectionmedium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'statusBulkEdit' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-71caa071-d279-4807-88ad-a71673b9d17d-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'instantEditRedirect' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-84d43356-274e-42d5-ac40-10a34effce8d-redirect-redirectionmedium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'addRedirectRule' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-8b421330-dd3c-4af0-9f42-95430117eb9b-redirect-redirectionmedium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'saveRedirectSettings' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-a7beb9b3-3e4e-4aa2-b174-ecd9307cb3d0-redirect-redirectionmedium · 5.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'loadRedirectSettings' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-a7ec331c-51ea-466a-ab7b-4234df47114a-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'liveSearch' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-b2ec7d77-fe50-4bb2-a57b-6ee4246805f9-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'loadSettings' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-b57dd8e3-e3e1-4d6b-b9dd-b5a24c4886b4-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'addRedirectRule' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-d0d6f467-6e62-45ff-bf9d-4db5b1ed1dd2-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'logFilter' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-d433a5b3-4661-4246-ae60-8a99633372ad-redirect-redirectionmedium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'deleteRedirect' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-d4dacd15-85cc-41f5-830c-b02c85c798f9-redirect-redirectionmedium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'cronLogDeleteOption' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-dceca4ee-6587-4eaa-974e-a21e7a10b6e8-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'logPageContent' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-de69d597-b663-4c58-82e0-c90391fb8416-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'selectAll' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-e29dac44-5c85-4f73-ae96-4bc0deca64f4-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'bulkDelete' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-ef5f99ca-8a0d-4ec4-8b59-c0c4637dfbc3-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'statusBulkEdit' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-f347a629-523e-4ec4-ad56-6ae9357dd7f5-redirect-redirectionmedium · 4.3Missing Authorization

Redirect Redirection <= 1.1.3 - Missing Authorization in 'saveRedirectSettings' function

Feb 21, 2023 Patched in 1.1.4 (336d)
WF-fdd57b3b-bd0a-4b07-831e-72f2329b2577-redirect-redirectionmedium · 4.3Cross-Site Request Forgery (CSRF)

Redirect Redirection <= 1.1.3 - Cross-Site Request Forgery via 'instantEditRedirect' function

Feb 21, 2023 Patched in 1.1.4 (336d)
Code Analysis
Analyzed Mar 16, 2026

Redirection Code Analysis

Dangerous Functions
1
Raw SQL Queries
8
36 prepared
Unescaped Output
131
69 escaped
Nonce Checks
32
Capability Checks
29
File Operations
2
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$this->values = is_array($raw) ? $raw : @unserialize($raw);analyst\src\Cache\DatabaseCache.php:47

SQL Query Safety

82% prepared44 total queries

Output Escaping

35% escaped200 total outputs
Data Flows
All sanitized

Data Flow Analysis

12 flows
importRedirects (includes\irrp-export-import.php:82)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Redirection Attack Surface

Entry Points28
Unprotected1

AJAX Handlers 28

authwp_ajax_analyst_notification_dismissanalyst\src\Mutator.php:100
authwp_ajax_inisev_installationincludes\banner\misc.php:65
authwp_ajax_inisev_installation_widgetincludes\banner\misc.php:66
authwp_ajax_irrp_importincludes\irrp-export-import.php:24
authwp_ajax_irAddRedirectincludes\irrp-helper-ajax.php:31
authwp_ajax_irInstantEditRedirectincludes\irrp-helper-ajax.php:32
authwp_ajax_irLoadRedirectSettingsincludes\irrp-helper-ajax.php:33
authwp_ajax_irSaveRedirectSettingsincludes\irrp-helper-ajax.php:34
authwp_ajax_irDeleteRedirectincludes\irrp-helper-ajax.php:35
authwp_ajax_irStatusBulkEditincludes\irrp-helper-ajax.php:36
authwp_ajax_irBulkDeleteincludes\irrp-helper-ajax.php:37
authwp_ajax_irRedirectionPageContentincludes\irrp-helper-ajax.php:38
authwp_ajax_irLiveSearchincludes\irrp-helper-ajax.php:39
authwp_ajax_irSelectAllincludes\irrp-helper-ajax.php:40
authwp_ajax_irLogPageContentincludes\irrp-helper-ajax.php:42
authwp_ajax_irLogFilterincludes\irrp-helper-ajax.php:43
authwp_ajax_irCronLogDeleteOptionincludes\irrp-helper-ajax.php:44
authwp_ajax_irLogStatusChangeincludes\irrp-helper-ajax.php:45
authwp_ajax_irAddRedirectRuleincludes\irrp-helper-ajax.php:48
authwp_ajax_irRegexHelpNotificationDismissincludes\irrp-helper-ajax.php:50
authwp_ajax_irLoadTabincludes\settings\irrp-settings.php:41
authwp_ajax_irLoadSettingsincludes\settings\irrp-settings.php:42
authwp_ajax_irSaveSettingsincludes\settings\irrp-settings.php:43
authwp_ajax_irLogMeWhereIFinishedincludes\settings\irrp-settings.php:44
authwp_ajax_dismiss_new_bb_bannermodules\new-bb-banner\misc.php:103
authwp_ajax_install_bmimodules\new-bb-banner\misc.php:104
authwp_ajax_activate_bmimodules\new-bb-banner\misc.php:105
authwp_ajax_inisev_reviewmodules\review\review.php:111
WordPress Hooks 34
actioninitanalyst\main.php:65
actioninitanalyst\src\Analyst.php:80
actionadmin_footeranalyst\src\Mutator.php:56
actionadmin_noticesanalyst\src\Mutator.php:74
actionadmin_enqueue_scriptsanalyst\src\Mutator.php:86
actionadmin_menuincludes\banner\misc.php:110
actionadmin_menuincludes\banner\misc.php:123
actionins_global_print_carrouselincludes\banner\misc.php:165
actionadmin_post_irrp_exportincludes\irrp-export-import.php:23
actionwp_loadedincludes\irrp-helper.php:19
actionwp_loadedincludes\irrp-helper.php:21
actiontemplate_redirectincludes\irrp-helper.php:22
actionadmin_initincludes\irrp-helper.php:23
actionadmin_post_irrp_delete_logsincludes\irrp-helper.php:26
actionadmin_post_irrp_download_logsincludes\irrp-helper.php:27
filterlogout_redirectincludes\irrp-helper.php:305
filterlogin_redirectincludes\irrp-helper.php:306
actionadmin_menuincludes\settings\irrp-settings.php:36
actionadmin_enqueue_scriptsincludes\settings\irrp-settings.php:37
actionadmin_initincludes\settings\irrp-settings.php:38
filterirrp_log_requestsincludes\settings\irrp-settings.php:48
actionwp_loadedmodules\new-bb-banner\misc.php:113
actionadmin_enqueue_scriptsmodules\new-bb-banner\misc.php:286
actionadmin_noticesmodules\new-bb-banner\misc.php:287
actionwp_loadedmodules\review\review.php:120
actionadmin_enqueue_scriptsmodules\review\review.php:322
actionadmin_noticesmodules\review\review.php:323
actionwp_loadedredirect-redirection.php:45
actionwp_loadedredirect-redirection.php:104
actionwpmu_new_blogredirect-redirection.php:267
filterwpmu_drop_tablesredirect-redirection.php:268
actionactivated_pluginredirect-redirection.php:273
actionadmin_post_ir_uninstallredirect-redirection.php:274
actionwp_headredirect-redirection.php:277
Maintenance & Trust

Redirection Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version5.6
Downloads817K

Community Trust

Rating100/100
Number of ratings379
Active installs100K
Alternatives

Redirection Alternatives

301 Redirects – Redirect Manager

301 Redirects – Redirect Manager

eps-301-redirects

A
98

Manage 301 & 302 redirects. Simple redirection & redirects validation. Includes redirect stats & 404 error log.

300K 3 CVEs
Redirect.txt

Redirect.txt

redirect-txt

A
100

Manage 301 & 302 redirects easily. No posts creation bloat, just a simple list.

0 No CVEs
Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More

Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More

simple-301-redirects

A
97

Simple 301 Redirects provides an easy method of redirecting requests to another page on your site or elsewhere on the web.

100K 7 CVEs
301 Redirects & 404 Error Log

301 Redirects & 404 Error Log

301-redirects

A
100

Create & manage 301 redirects. Easily test redirects. Includes 404 error log.

30K No CVEs
SEO Redirection Plugin – 301 Redirect Manager

SEO Redirection Plugin – 301 Redirect Manager

seo-redirection

A
96

SEO Redirection is a powerful redirect manager to manage 301 redirects without requiring knowledge of Apache .htaccess files.

10K 9 CVEs
Developer Profile

Redirection Developer Profile

Inisev

6 plugins · 620K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
480 days
View full developer profile
Detection Fingerprints

How We Detect Redirection

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/redirect-redirection/assets/js/admin.js/wp-content/plugins/redirect-redirection/assets/js/scripts.js/wp-content/plugins/redirect-redirection/assets/css/style.css/wp-content/plugins/redirect-redirection/assets/css/admin.css
Script Paths
/wp-content/plugins/redirect-redirection/assets/js/admin.js/wp-content/plugins/redirect-redirection/assets/js/scripts.js
Version Parameters
redirect-redirection/assets/js/admin.js?ver=redirect-redirection/assets/js/scripts.js?ver=redirect-redirection/assets/css/style.css?ver=redirect-redirection/assets/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
irrp-containerirrp-section-titleirrp-redirect-formirrp-settings-formirrp-log-table
HTML Comments
<!-- Plugin's constants --><!-- Create tables on activation. --><!-- Disable CRON job on deactivation --><!-- Load the plugin -->+6 more
Data Attributes
data-irrp-actiondata-irrp-redirect-iddata-irrp-rule-iddata-irrp-log-id
JS Globals
irrp_params
REST Endpoints
/wp-json/redirect-redirection/v1/settings/wp-json/redirect-redirection/v1/redirects/wp-json/redirect-redirection/v1/logs
FAQ

Frequently Asked Questions about Redirection