Advanced 301 and 302 Redirect <= 1.6.9 - Unauthenticated SQL Injection
Description
The Advanced 301 and 302 Redirect plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.6.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=1.6.9What Changed in the Fix
Changes introduced in v1.7.0
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-49067 ## 1. Vulnerability Summary The **Advanced 301 and 302 Redirect** plugin (<= 1.6.9) is vulnerable to an **unauthenticated SQL Injection** in `include/redirect-page.php`. The vulnerability exists because the plugin extracts the current request URI, perfo…
Show full research plan
Exploitation Research Plan - CVE-2026-49067
1. Vulnerability Summary
The Advanced 301 and 302 Redirect plugin (<= 1.6.9) is vulnerable to an **unauthenticated SQL Injection** in include/redirect-page.php. The vulnerability exists because the plugin extracts the current request URI, performs insufficient sanitization (only removing quotes and using esc_url_raw), and then interpolates multiple variations of this string into a raw SQL query without using $wpdb->prepare().
While the plugin attempts to strip single and double quotes, it does not account for the backslash escape character in MySQL. By ending the URL path with a backslash (\), an attacker can escape the closing quote of a string literal in the SQL query, causing the subsequent parameters (which are also derived from the user's URI) to be interpreted as SQL commands.
2. Attack Vector Analysis
- Endpoint: Any frontend URL (e.g.,
http://example.com/any-page). The vulnerable code runs on theinithook for all non-admin requests. - Vulnerable Parameter: The URL path (
$_SERVER['REQUEST_URI']). - Payload Placement: Inside the URL path, followed by a backslash.
- Authentication: Unauthenticated (No login required).
- Preconditions: The plugin must be active.
3. Code Flow
- Entry Point: A user requests a
Summary
The Advanced 301 and 302 Redirect plugin for WordPress is vulnerable to unauthenticated SQL Injection via the REQUEST_URI. Due to insufficient sanitization of backslashes and the use of string interpolation instead of prepared statements, attackers can escape SQL literals and append arbitrary queries to extract sensitive database information.
Vulnerable Code
// include/redirect-page.php lines 98-113 $page_path_with_gets = $_SERVER['REQUEST_URI']; $page_path_without_get_parmaters = parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH); // cleaning the ' or " from the url $page_path_without_get_parmaters = str_replace( array("'", '"'), array(''. ''), $page_path_without_get_parmaters); // ... // Getting the end of the url path (without the domain) so we can check // if to redirect the page to different page $domains_name = get_option('home'); $url_user_request = str_ireplace($domains_name, '' , yydev_redirect_get_address()); // getting the url without the domain name $url_user_request = esc_url_raw($url_user_request); --- // include/redirect-page.php lines 142-143 if(!empty($url_user_request)) { // checking if there are database lines with the redirect similar to the corrent url $check_if_redirect_exists = $wpdb->get_results("SELECT * FROM " . $yydev_secondary_table_name . " WHERE request_url = '{$url_user_request}' || request_url = '{$url_user_request_strlower}' OR request_url = '{$full_url_path}' OR request_url = '{$url_without_slash}' OR request_url = '{$urldecode_user_request}' OR request_url = '{$urldecode_user_request_without_start_slash}' OR request_url = '{$url_with_end_slash}' ");
Security Fix
@@ -115,7 +115,7 @@ $url_user_request_strlower = strtolower($url_user_request); // makindg english caracters not capital - $full_url_path = strtolower(yydev_redirect_get_address()); + $full_url_path = esc_url_raw(strtolower(yydev_redirect_get_address())); // removing the first / from links in case the user forgot to add it. $url_without_slash = rtrim($url_user_request, '/'); @@ -142,7 +142,7 @@ if(!empty($url_user_request)) { // checking if there are database lines with the redirect similar to the corrent url - $check_if_redirect_exists = $wpdb->get_results("SELECT * FROM " . $yydev_secondary_table_name . " WHERE request_url = '{$url_user_request}' || request_url = '{$url_user_request_strlower}' OR request_url = '{$full_url_path}' OR request_url = '{$url_without_slash}' OR request_url = '{$urldecode_user_request}' OR request_url = '{$urldecode_user_request_without_start_slash}' OR request_url = '{$url_with_end_slash}' "); + $check_if_redirect_exists = $wpdb->get_results( $wpdb->prepare("SELECT * FROM " . $yydev_secondary_table_name . " WHERE request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s", $url_user_request, $url_user_request_strlower, $full_url_path, $url_without_slash, $urldecode_user_request, $urldecode_user_request_without_start_slash, $url_with_end_slash) ); // if there are url that require redirection if( count($check_if_redirect_exists) > 0 ) { @@ -225,7 +225,7 @@ if(!empty($url_user_request)) { // checking if there are database lines with the redirect similar to the corrent url - $check_if_redirect_exists = $wpdb->get_results("SELECT * FROM " . $yydev_secondary_table_name . " WHERE redirect_query = 'contain' "); + $check_if_redirect_exists = $wpdb->get_results( $wpdb->prepare("SELECT * FROM " . $yydev_secondary_table_name . " WHERE redirect_query = %s", 'contain') ); // if there are url that require redirection if( count($check_if_redirect_exists) > 0 ) {
Exploit Outline
The vulnerability is exploited by targeting any frontend page of the WordPress site. An unauthenticated attacker crafts a URL that includes a backslash character (`\`) at the end of a segment. Because the plugin uses string interpolation in its SQL queries and only filters out single and double quotes, the backslash escapes the closing quote literal in the SQL statement. Subsequent parts of the URI (which the plugin parses into additional variables like `$url_user_request_strlower`) can then be used to inject SQL keywords (e.g., `UNION SELECT`) to exfiltrate data from the WordPress database. The code executes on the `init` hook via `include/redirect-page.php`, meaning no specific login or administrative privilege is required.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.