External risk intelligence

SQL Injection in Advanced 301 and 302 Redirect

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-49067

An unauthenticated SQL injection vulnerability exists in the Advanced 301 and 302 Redirect plugin, potentially allowing attackers to access or modify sensitive data in the plugin's database. Because the vulnerability is network-reachable without authentication, it could impact systems relying on this redirect functiona

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-49067

This vulnerability exists in a WordPress plugin designed to manage URL redirects. Such plugins are typically active on public-facing web servers to handle site traffic, making the affected code path reachable to internet users visiting the website.

PCI scan relevance

PCI Relevance for CVE-2026-49067

Yes

CVE-2026-49067 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability is relevant for PCI scans as it can lead to unauthorized access to sensitive systems.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

A critical security flaw has been identified in a plugin that manages website redirects, potentially allowing unauthorized access to sensitive information. This vulnerability could expose data through unauthenticated network attacks, impacting systems that rely on this redirect functionality.

  • Unauthenticated access to sensitive data.
  • Manages website traffic and user experience.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can target this vulnerability by sending a specially crafted request to a website using the affected redirect plugin. Because no authentication is required, an unauthenticated attacker can exploit this flaw. The vulnerability exists in the plugin's handling of redirect rules, potentially allowing an attacker to inject malicious SQL commands into the database.

  • No authentication needed.
  • Malicious SQL injected into database.
  • Unauthenticated SQL injection risk.

Live Threat

Current exploitation, exposure, and threat context

This unauthenticated SQL injection vulnerability could allow an attacker to access or modify sensitive data within the redirect plugin's database. The impact is dependent on the specific data stored by the plugin.

  • Plugin database data at risk.
  • Network access via crafted requests.
  • Unauthorized data access or modification.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability in the Advanced 301 and 302 Redirect plugin is likely to be handled by website owners or platform teams responsible for WordPress environments. The first practical step is to identify all instances of the plugin, confirm if they are publicly accessible and critical to business operations, and then determine the accountable owner for remediation.

  • Website owners should own this issue.
  • Verify plugin reachability and business criticality.
  • Plan remediation during the next maintenance window.

Frequently asked questions

What is the Advanced 301 and 302 Redirect plugin?

This is a WordPress plugin used to manage URL redirections, which helps maintain site navigation by forwarding visitors from one web address to another. It is typically installed to handle traffic routing and ensure users reach the correct pages when site structures change.

What does CVE-2026-49067 mean by SQL Injection?

This vulnerability falls under the weakness class of SQL Injection (CWE-89). It occurs when software improperly handles data from a user, allowing an attacker to insert their own commands into the application's database queries. In this case, the flaw allows unauthorized parties to influence the database without needing to log in first.

How can an attacker trigger this vulnerability?

An attacker triggers the bug by sending a specially crafted request directly to the website. Because the vulnerability does not require authentication, the attacker does not need a user account or special permissions to interact with the plugin. Requests that do not contain the specific malicious SQL structure will not trigger this security flaw.

Do I need to worry about this if my site is internal?

According to Halo Surface Signal, this vulnerability is particularly relevant to public-facing web servers because the redirect functionality must be reachable by internet users to work. If your server is strictly internal and not exposed to the public internet, the attack path is significantly harder to access, though it should still be managed to maintain overall security.

How should I respond to this threat?

Start by identifying all websites under your management that have this plugin installed. Verify if the plugin is truly necessary for your site's operations. Once identified, locate the team responsible for that specific site to plan for updates or removals during your next scheduled maintenance window.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished