Does Redirection have any unpatched vulnerabilities?

No. All known vulnerabilities in Redirection have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Redirection compatible with WordPress 6.9.4?

According to WordPress.org data, Redirection 5.7.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Redirection compatible with PHP 7.4+?

Redirection requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Redirection updated?

Redirection was last updated on Mar 1, 2026. Frequent updates are generally a positive security signal.

What is Redirection's security score?

Redirection has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Redirection Security & Risk Analysis

wordpress.org/plugins/redirection

Manage 301 redirects, track 404 errors, and improve your site. No knowledge of Apache or Nginx required.

2.0M active installs v5.7.5 PHP 7.4+ WP 6.5+ Updated Mar 1, 2026

301404apachehtaccessredirect

A · Safe

CVEs total5

Unpatched0

Last CVENov 14, 2018

Plugin page Download

Safety Verdict

Is Redirection Safe to Use in 2026?

Generally Safe

Score 97/100

Redirection has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Nov 14, 2018Updated 1mo ago

Risk Assessment

The Redirection plugin, version 5.7.5, presents a mixed security posture. On the positive side, static analysis reveals a minimal attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events directly exposed without authentication. The code also demonstrates good practices in output escaping, with 98% of outputs properly neutralized, and a significant majority of SQL queries utilizing prepared statements, which helps mitigate SQL injection risks. Furthermore, there are no reported critical or high severity vulnerabilities currently unpatched, and no identified critical or high severity taint flows or unsanitized paths in the static analysis.

However, several concerns warrant attention. The presence of four instances of the `unserialize` function is a significant risk factor, as unserialization of untrusted data can lead to Remote Code Execution (RCE) vulnerabilities if not handled with extreme caution and strict input validation. While the plugin history shows no currently unpatched CVEs, the historical data indicates a pattern of past vulnerabilities including Cross-Site Request Forgery (CSRF), PHP Remote File Inclusion (RFI), and Cross-Site Scripting (XSS). The fact that 5 CVEs have been recorded, even if none are currently unpatched, suggests that the plugin has been a target for attackers and has had historically significant security flaws. The limited number of nonce and capability checks (3 and 2 respectively) for potentially sensitive operations also suggests a potential for privilege escalation or unauthorized actions if entry points are discovered.

In conclusion, while version 5.7.5 shows improvements in its attack surface and output sanitization, the reliance on `unserialize` and the historical vulnerability record are significant weaknesses. The plugin has a history of RFI and XSS, which, combined with `unserialize`, could create a potent combination for exploitation if an attacker can manipulate serialized data. The low number of robust checks suggests that further hardening is needed to ensure all potential entry points are adequately protected.

Key Concerns

Dangerous function 'unserialize' used
Historical vulnerabilities exist
Low number of capability checks
Low number of nonce checks

Vulnerabilities

Redirection Security Vulnerabilities

CVEs by Year

1 CVE in 2012

2012

2 CVEs in 2014

2014

2 CVEs in 2018

2018

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

WF-f2862cee-0412-42ba-9a8e-e5722bece775-redirectionhigh · 8.8Cross-Site Request Forgery (CSRF)

Redirection <= 3.6.3 - Cross-Site Request Forgery to Remote Code Execution

Nov 14, 2018 Patched in 3.6.4 (1896d)

CVE-2018-1000504high · 7.2Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Redirection <= 2.7.3 - Local File Inclusion

Jul 12, 2018 Patched in 2.8 (2021d)

CVE-2011-5329medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Redirection <= 2.2.8 - Reflected Cross-Site Scripting

Aug 1, 2014 Patched in 2.2.9 (3462d)

CVE-2011-4562medium · 5.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Redirection <= 2.2.9 - Cross-Site Scripting

Aug 1, 2014 Patched in 2.2.10 (3462d)

CVE-2012-6717medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Redirection < 2.2.12 - Reflected Cross-Site Scripting

May 4, 2012 Patched in 2.2.12 (4281d)

Code Analysis

Analyzed Mar 16, 2026

Redirection Code Analysis

Dangerous Functions

Raw SQL Queries

74 prepared

Unescaped Output

209 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$values = @unserialize( $values ); // phpcs:ignorematches\from-notfrom.php:103

unserialize$values = unserialize( $values ); // phpcs:ignorematches\from-url.php:88

unserialize$values = @unserialize( $values );matches\login.php:93

unserialize$sources = unserialize( $redirect->sources );models\importer\rank-math.php:33

SQL Query Safety

61% prepared122 total queries

Output Escaping

98% escaped213 total outputs

Attack Surface

Redirection Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 45

filtertemplate_includeactions\error.php:19

filterpre_handle_404actions\error.php:22

actionwpactions\error.php:25

actionpre_post_updatemodels\monitor.php:36

actionpost_updatedmodels\monitor.php:37

actionredirection_remove_existingmodels\monitor.php:38

filterredirection_permalink_changedmodels\monitor.php:39

actionwp_trash_postmodels\monitor.php:42

filterpre_option_rewrite_rulesmodels\permalinks.php:142

filterpre_option_permalink_structuremodels\permalinks.php:143

actioninitmodules\wordpress.php:76

actioninitmodules\wordpress.php:79

actionsend_headersmodules\wordpress.php:82

filterwp_redirectmodules\wordpress.php:85

filterpre_handle_404modules\wordpress.php:88

actionredirection_matchedmodules\wordpress.php:91

actionredirection_lastmodules\wordpress.php:92

actionredirection_visitmodules\wordpress.php:96

actionredirection_do_nothingmodules\wordpress.php:97

filterredirect_canonicalmodules\wordpress.php:100

actiontemplate_redirectmodules\wordpress.php:103

filterredirection_404_datamodules\wordpress.php:106

filterredirection_log_datamodules\wordpress.php:107

filterx_redirect_bymodules\wordpress.php:110

filterstatus_headermodules\wordpress.php:380

actionadmin_noticesredirection-admin.php:43

actionadmin_menuredirection-admin.php:47

actionadmin_noticesredirection-admin.php:48

filterplugin_row_metaredirection-admin.php:50

filterredirection_save_optionsredirection-admin.php:51

filterset-screen-optionredirection-admin.php:52

filterset_screen_option_redirection_log_per_pageredirection-admin.php:53

actionredirection_redirect_updatedredirection-admin.php:61

actionredirection_redirect_updatedredirection-admin.php:62

filterscript_loader_srcredirection-admin.php:65

filterip-geo-block-adminredirection-admin.php:448

actioninitredirection-admin.php:885

filterqtranslate_language_detect_redirectredirection-admin.php:888

filterredirection_url_targetredirection-front.php:54

filterredirection_request_ipredirection-front.php:58

filterredirection_request_ipredirection-front.php:60

actionplugins_loadedredirection-front.php:157

actionupgrader_process_completeredirection.php:88

actionrest_api_initredirection.php:143

actioninitredirection.php:144

Maintenance & Trust

Redirection Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 1, 2026

PHP min version7.4

Downloads71.3M

Community Trust

Rating88/100

Number of ratings689

Active installs2.0M

Alternatives

Redirection Alternatives

Redirect 404 Page to Home

redirect-404-page-to-home-by-fahad

Divert all of the 404 broken pages to your home page. Manage 404 errors, and improve your site. No knowledge of Apache, htaccess or Nginx required.

10 No CVEs

Xtoool Redirecter

xtoool-redirecter

100

Manage 301 redirects, track 404 errors, and improve your site. No knowledge of Apache or Nginx required.

0 No CVEs

301 Redirects – Redirect Manager

eps-301-redirects

Manage 301 & 302 redirects. Simple redirection & redirects validation. Includes redirect stats & 404 error log.

300K 3 CVEs

Redirection

redirect-redirection

Redirection

100K 27 CVEs

Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More

simple-301-redirects

Simple 301 Redirects provides an easy method of redirecting requests to another page on your site or elsewhere on the web.

100K 7 CVEs

Developer Profile

Redirection Developer Profile

John Godley

14 plugins · 2.1M total installs

trust score

Avg Security Score

87/100

Avg Patch Time

4069 days

View full developer profile

Detection Fingerprints

How We Detect Redirection

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/redirection/build/js/bundle.min.js/wp-content/plugins/redirection/build/css/bundle.min.css

Script Paths

/wp-content/plugins/redirection/build/js/bundle.min.js

Version Parameters

redirection/build/css/bundle.min.css?ver=redirection/build/js/bundle.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

redirection-settings

HTML Comments

<!-- Default manual update, with n

Data Attributes

data-redirection-id

JS Globals

redirectionredirection_admin_urls

REST Endpoints

/wp-json/redirection/v1/redirects

FAQ

Redirection Security & Risk Analysis

Is Redirection Safe to Use in 2026?

Generally Safe

Key Concerns

Redirection Security Vulnerabilities

CVEs by Year

Severity Breakdown

Redirection Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Redirection Attack Surface

Redirection Maintenance & Trust

Maintenance Signals

Community Trust

Redirection Alternatives

Redirect 404 Page to Home

Xtoool Redirecter

301 Redirects – Redirect Manager

Redirection

Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More

Redirection Developer Profile

How We Detect Redirection

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Redirection