WordPress Plugin Vulnerabilities

301 Redirects - Easy Redirect Manager < 2.45 - Authenticated Arbitrary Redirect Injection and Modification, XSS, and CSRF

Description

The weaknesses allow for any authenticated user, even subscribers, to modify, delete, and inject redirect rules that could potentially result in a loss of site availability, in addition to XSS and CSRF.

Proof of Concept

Affects Plugins

Plugin icon
eps-301-redirects
Fixed in 2.45

References

CVE
CVE-2019-19915
URL
https://www.wordfence.com/blog/2019/12/critical-vulnerability-patched-in-301-redirects-easy-redirect-manager/

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://www.wordfence.com/
Submitter twitter
infosecchloe
Verified
No
WPVDB ID
acc30913-f4b3-4008-9a32-33b24232587b

Timeline

Publicly Published
2019-12-19 (about 6 years ago)
Added
2019-12-19 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2026-04-14
Title
Amelia < 2.3 - Unauthenticated Booking Status Manipulation
Published
2025-07-24
Title
PPWP < 1.9.11 - Subscriber+ Access Bypass via REST API
Published
2024-09-17
Title
WP Hardening – Fix Your WordPress Security < 1.2.7 - Unauthenticated Security Feature Bypass to Username Enumeration
Published
2024-04-15
Title
Zero Spam < 5.5.7 - Spam Protection Bypass
Published
2026-03-23
Title
CM HIPAA Forms < 3.2.0 - Unauthenticated Authorization Bypass