[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2k4EHLPHKPpq6G8Z1vaGxY1CHJdvHSBrbofEJs0KZxU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-49067","advanced-301-and-302-redirect-unauthenticated-sql-injection","Advanced 301 and 302 Redirect \u003C= 1.6.9 - Unauthenticated SQL Injection","The Advanced 301 and 302 Redirect plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.6.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","advanced-301-and-302-redirect",null,"\u003C=1.6.9","1.7.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-08 00:00:00","2026-06-15 19:38:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faad65aa5-b928-463b-a287-ea0dc8da7c80?source=api-prod",8,[22,23,24],"include\u002Fredirect-page.php","index.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-49067\n\n## 1. Vulnerability Summary\nThe **Advanced 301 and 302 Redirect** plugin (\u003C= 1.6.9) is vulnerable to an **unauthenticated SQL Injection** in `include\u002Fredirect-page.php`. The vulnerability exists because the plugin extracts the current request URI, performs insufficient sanitization (only removing quotes and using `esc_url_raw`), and then interpolates multiple variations of this string into a raw SQL query without using `$wpdb->prepare()`. \n\nWhile the plugin attempts to strip single and double quotes, it does not account for the **backslash escape character** in MySQL. By ending the URL path with a backslash (`\\`), an attacker can escape the closing quote of a string literal in the SQL query, causing the subsequent parameters (which are also derived from the user's URI) to be interpreted as SQL commands.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Any frontend URL (e.g., `http:\u002F\u002Fexample.com\u002Fany-page`). The vulnerable code runs on the `init` hook for all non-admin requests.\n- **Vulnerable Parameter:** The URL path (`$_SERVER['REQUEST_URI']`).\n- **Payload Placement:** Inside the URL path, followed by a backslash.\n- **Authentication:** Unauthenticated (No login required).\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1. **Entry Point:** A user requests a","The Advanced 301 and 302 Redirect plugin for WordPress is vulnerable to unauthenticated SQL Injection via the REQUEST_URI. Due to insufficient sanitization of backslashes and the use of string interpolation instead of prepared statements, attackers can escape SQL literals and append arbitrary queries to extract sensitive database information.","\u002F\u002F include\u002Fredirect-page.php lines 98-113\n    $page_path_with_gets = $_SERVER['REQUEST_URI'];\n    $page_path_without_get_parmaters = parse_url($_SERVER[\"REQUEST_URI\"], PHP_URL_PATH);\n    \n    \u002F\u002F cleaning the ' or \" from the url\n    $page_path_without_get_parmaters = str_replace( array(\"'\", '\"'), array(''. ''), $page_path_without_get_parmaters);\n\n    \u002F\u002F ...\n\n    \u002F\u002F Getting the end of the url path (without the domain) so we can check\n    \u002F\u002F if to redirect the page to different page\n    $domains_name = get_option('home');\n    $url_user_request = str_ireplace($domains_name, '' , yydev_redirect_get_address()); \u002F\u002F getting the url without the domain name\n    $url_user_request = esc_url_raw($url_user_request);\n\n---\n\n\u002F\u002F include\u002Fredirect-page.php lines 142-143\n        if(!empty($url_user_request)) {\n            \n            \u002F\u002F checking if there are database lines with the redirect similar to the corrent url\n            $check_if_redirect_exists = $wpdb->get_results(\"SELECT * FROM \" . $yydev_secondary_table_name . \" WHERE request_url = '{$url_user_request}' || request_url = '{$url_user_request_strlower}' OR request_url = '{$full_url_path}' OR request_url = '{$url_without_slash}' OR request_url = '{$urldecode_user_request}' OR request_url = '{$urldecode_user_request_without_start_slash}' OR request_url = '{$url_with_end_slash}' \");","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-301-and-302-redirect\u002F1.6.9\u002Finclude\u002Fredirect-page.php\t2025-08-26 08:02:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-301-and-302-redirect\u002F1.7.0\u002Finclude\u002Fredirect-page.php\t2026-06-02 18:02:00.000000000 +0000\n@@ -115,7 +115,7 @@\n \n     $url_user_request_strlower = strtolower($url_user_request); \u002F\u002F makindg english caracters not capital\n \n-    $full_url_path = strtolower(yydev_redirect_get_address());\n+    $full_url_path = esc_url_raw(strtolower(yydev_redirect_get_address()));\n \n     \u002F\u002F removing the first \u002F from links in case the user forgot to add it.\n     $url_without_slash = rtrim($url_user_request, '\u002F');\n@@ -142,7 +142,7 @@\n         if(!empty($url_user_request)) {\n             \n             \u002F\u002F checking if there are database lines with the redirect similar to the corrent url\n-            $check_if_redirect_exists = $wpdb->get_results(\"SELECT * FROM \" . $yydev_secondary_table_name . \" WHERE request_url = '{$url_user_request}' || request_url = '{$url_user_request_strlower}' OR request_url = '{$full_url_path}' OR request_url = '{$url_without_slash}' OR request_url = '{$urldecode_user_request}' OR request_url = '{$urldecode_user_request_without_start_slash}' OR request_url = '{$url_with_end_slash}' \");\n+            $check_if_redirect_exists = $wpdb->get_results( $wpdb->prepare(\"SELECT * FROM \" . $yydev_secondary_table_name . \" WHERE request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s OR request_url = %s\", $url_user_request, $url_user_request_strlower, $full_url_path, $url_without_slash, $urldecode_user_request, $urldecode_user_request_without_start_slash, $url_with_end_slash) );\n \n             \u002F\u002F if there are url that require redirection \n             if( count($check_if_redirect_exists) > 0 ) {\n@@ -225,7 +225,7 @@\n         if(!empty($url_user_request)) {\n             \n             \u002F\u002F checking if there are database lines with the redirect similar to the corrent url\n-            $check_if_redirect_exists = $wpdb->get_results(\"SELECT * FROM \" . $yydev_secondary_table_name . \" WHERE redirect_query = 'contain' \");\n+            $check_if_redirect_exists = $wpdb->get_results( $wpdb->prepare(\"SELECT * FROM \" . $yydev_secondary_table_name . \" WHERE redirect_query = %s\", 'contain') );\n \n             \u002F\u002F if there are url that require redirection \n             if( count($check_if_redirect_exists) > 0 ) {","The vulnerability is exploited by targeting any frontend page of the WordPress site. An unauthenticated attacker crafts a URL that includes a backslash character (`\\`) at the end of a segment. Because the plugin uses string interpolation in its SQL queries and only filters out single and double quotes, the backslash escapes the closing quote literal in the SQL statement. Subsequent parts of the URI (which the plugin parses into additional variables like `$url_user_request_strlower`) can then be used to inject SQL keywords (e.g., `UNION SELECT`) to exfiltrate data from the WordPress database. The code executes on the `init` hook via `include\u002Fredirect-page.php`, meaning no specific login or administrative privilege is required.","gemini-3-flash-preview","2026-06-26 02:29:45","2026-06-26 02:31:21",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.6.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-301-and-302-redirect\u002Ftags\u002F1.6.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-301-and-302-redirect.1.6.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-301-and-302-redirect\u002Ftags\u002F1.7.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-301-and-302-redirect.1.7.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-301-and-302-redirect\u002Ftags"]