CVE-2026-49067

Advanced 301 and 302 Redirect <= 1.6.9 - Unauthenticated SQL Injection

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
1.7.0
Patched in
8d
Time to patch

Description

The Advanced 301 and 302 Redirect plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.6.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.6.9
PublishedJune 8, 2026
Last updatedJune 15, 2026

What Changed in the Fix

Changes introduced in v1.7.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-49067 ## 1. Vulnerability Summary The **Advanced 301 and 302 Redirect** plugin (<= 1.6.9) is vulnerable to an **unauthenticated SQL Injection** in `include/redirect-page.php`. The vulnerability exists because the plugin extracts the current request URI, perfo…

Show full research plan

Exploitation Research Plan - CVE-2026-49067

1. Vulnerability Summary

The Advanced 301 and 302 Redirect plugin (<= 1.6.9) is vulnerable to an **unauthenticated SQL Injection** in include/redirect-page.php. The vulnerability exists because the plugin extracts the current request URI, performs insufficient sanitization (only removing quotes and using esc_url_raw), and then interpolates multiple variations of this string into a raw SQL query without using $wpdb->prepare().

While the plugin attempts to strip single and double quotes, it does not account for the backslash escape character in MySQL. By ending the URL path with a backslash (\), an attacker can escape the closing quote of a string literal in the SQL query, causing the subsequent parameters (which are also derived from the user's URI) to be interpreted as SQL commands.

2. Attack Vector Analysis

  • Endpoint: Any frontend URL (e.g., http://example.com/any-page). The vulnerable code runs on the init hook for all non-admin requests.
  • Vulnerable Parameter: The URL path ($_SERVER['REQUEST_URI']).
  • Payload Placement: Inside the URL path, followed by a backslash.
  • Authentication: Unauthenticated (No login required).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Entry Point: A user requests a
Research Findings
Static analysis — not yet PoC-verified

Summary

The Advanced 301 and 302 Redirect plugin for WordPress is vulnerable to unauthenticated SQL Injection via the REQUEST_URI. Due to insufficient sanitization of backslashes and the use of string interpolation instead of prepared statements, attackers can escape SQL literals and append arbitrary queries to extract sensitive database information.

Vulnerable Code

// include/redirect-page.php lines 98-113
    $page_path_with_gets = $_SERVER['REQUEST_URI'];
    $page_path_without_get_parmaters = parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);
    
    // cleaning the ' or " from the url
    $page_path_without_get_parmaters = str_replace( array("'", '"'), array(''. ''), $page_path_without_get_parmaters);

    // ...

    // Getting the end of the url path (without the domain) so we can check
    // if to redirect the page to different page
    $domains_name = get_option('home');
    $url_user_request = str_ireplace($domains_name, '' , yydev_redirect_get_address()); // getting the url without the domain name
    $url_user_request = esc_url_raw($url_user_request);

---

// include/redirect-page.php lines 142-143
        if(!empty($url_user_request)) {
            
            // checking if there are database lines with the redirect similar to the corrent url
            $check_if_redirect_exists = $wpdb->get_results("SELECT * FROM " . $yydev_secondary_table_name . " WHERE request_url = '{$url_user_request}' || request_url = '{$url_user_request_strlower}' OR request_url = '{$full_url_path}' OR request_url = '{$url_without_slash}' OR request_url = '{$urldecode_user_request}' OR request_url = '{$urldecode_user_request_without_start_slash}' OR request_url = '{$url_with_end_slash}' ");

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/advanced-301-and-302-redirect/1.6.9/include/redirect-page.php	2025-08-26 08:02:28.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/advanced-301-and-302-redirect/1.7.0/include/redirect-page.php	2026-06-02 18:02:00.000000000 +0000
@@ -115,7 +115,7 @@
 
     $url_user_request_strlower = strtolower($url_user_request); // makindg english caracters not capital
 
-    $full_url_path = strtolower(yydev_redirect_get_address());
+    $full_url_path = esc_url_raw(strtolower(yydev_redirect_get_address()));
 
     // removing the first / from links in case the user forgot to add it.
     $url_without_slash = rtrim($url_user_request, '/');
@@ -142,7 +142,7 @@
         if(!empty($url_user_request)) {
             
             // checking if there are database lines with the redirect similar to the corrent url
-            $check_if_redirect_exists = $wpdb->get_results("SELECT * FROM " . $yydev_secondary_table_name . " WHERE request_url = '{$url_user_request}' || request_url = '{$url_user_request_strlower}' OR request_url = '{$full_url_path}' OR request_url = '{$url_without_slash}' OR request_url = '{$urldecode_user_request}' OR request_url = '{$urldecode_user_request_without_start_slash}' OR request_url = '{$url_with_end_slash}' ");
+            $check_if_redirect_exists = $wpdb->get_results( $wpdb->prepare("SELECT * FROM " . $yydev_secondary_table_name . " WHERE request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s", $url_user_request, $url_user_request_strlower, $full_url_path, $url_without_slash, $urldecode_user_request, $urldecode_user_request_without_start_slash, $url_with_end_slash) );
 
             // if there are url that require redirection 
             if( count($check_if_redirect_exists) > 0 ) {
@@ -225,7 +225,7 @@
         if(!empty($url_user_request)) {
             
             // checking if there are database lines with the redirect similar to the corrent url
-            $check_if_redirect_exists = $wpdb->get_results("SELECT * FROM " . $yydev_secondary_table_name . " WHERE redirect_query = 'contain' ");
+            $check_if_redirect_exists = $wpdb->get_results( $wpdb->prepare("SELECT * FROM " . $yydev_secondary_table_name . " WHERE redirect_query = %s", 'contain') );
 
             // if there are url that require redirection 
             if( count($check_if_redirect_exists) > 0 ) {

Exploit Outline

The vulnerability is exploited by targeting any frontend page of the WordPress site. An unauthenticated attacker crafts a URL that includes a backslash character (`\`) at the end of a segment. Because the plugin uses string interpolation in its SQL queries and only filters out single and double quotes, the backslash escapes the closing quote literal in the SQL statement. Subsequent parts of the URI (which the plugin parses into additional variables like `$url_user_request_strlower`) can then be used to inject SQL keywords (e.g., `UNION SELECT`) to exfiltrate data from the WordPress database. The code executes on the `init` hook via `include/redirect-page.php`, meaning no specific login or administrative privilege is required.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.