The plugin does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack
https://example.com/wp-admin/admin.php?page=wp-seo-redirect-301/seo_redirect_list.php&delete_id=12&delete_url=https://example.com/yolo delete_id is the post id, which is public and the delete_url is the URL that redirects to the destination. So an attacker has all the info to exploit it
Francesco Carlucci
Francesco Carlucci
Yes
2021-10-11 (about 7 months ago)
2021-10-11 (about 7 months ago)
2022-04-08 (about 1 months ago)