If you are using the SEO Redirection Plugin for WordPress, especially a version up to 8.9, it's time to pay close attention. There's a severe weak spot discovered, officially listed as CVE-2022-40695. This flaw allows attackers to carry out both Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks — and that's a combo you do not want living rent-free on your site.
Public reference:
- NVD Entry
- WPScan Advisory
- Patchstack Blog
The Core Problem
This plugin helps manage redirects on WordPress, but it doesn’t protect critical actions with nonces (security tokens). Admin pages with forms (like adding or deleting redirects) don't confirm if a request actually came from a legit admin user — or from some random attacker sending crafted requests.
At the same time, user-supplied data — like new redirect URLs — isn't cleaned up properly. An attacker sneaking in a script via a redirect field can have their input "echoed" into admin pages, which opens doors to XSS.
Combining these two flaws, a bad actor could trick an admin into clicking a special link or visiting a hacked page. This could:
Inject malicious scripts onto the admin dashboard
- Steal cookie/session data, potentially taking over admin accounts
Exploit Details
The most dangerous uses involve social engineering — for example, emailing a logged-in admin a link to a malicious website. If they click while logged in, the attack fires!
Exploit Scenario 1: CSRF - Add a Malicious Redirect
Let's say you want to add a redirect that contains JavaScript.
Here's a minimal CSRF payload (usually hidden as an image or iframe)
<form id="evil" action="https://example.com/wp-admin/admin.php?page=seo_redirect/seo_redirect.php"; method="POST">
<input type="text" name="redirect_from" value="/evil" />
<input type="text" name="redirect_to" value="<script>alert('XSS')</script>" />
<input type="hidden" name="action" value="add_redirect" />
</form>
<script>document.getElementById('evil').submit();</script>
If an admin is tricked into loading a page with this form, it submits the malicious redirect as them. No security nonce is checked!
Exploit Scenario 2: XSS via Redirect Field
Once that redirect is stored, if the WordPress admin page displays the redirect_to field's value without escaping, that <script> runs in the admin's browser. Bad news: the attacker's code can then steal session cookies, create new admin users, or do basically anything the real admin can do.
Protection & Fix
The plugin authors fixed this in v9. — upgrade now!
The plugin's PHP page for adding redirects might look like this (stripped for clarity)
if ($_POST['action'] == 'add_redirect') {
$from = $_POST['redirect_from'];
$to = $_POST['redirect_to'];
add_redirect($from, $to); // No sanitization, no nonce check!
}
Secure plugins add a nonce check, something like
if (!wp_verify_nonce($_POST['nonce'], 'redirect_action')) {
die('Invalid CSRF token');
}
For cleaning XSS, you'd see
$to = esc_url_raw($_POST['redirect_to']); // or esc_html, sanitize_text_field, etc.
Summary Checklist
✔️ Upgrade plugin to 9. or higher
✔️ Beware social engineering and weird links when logged in
✔️ Always sanitize and validate inputs in all custom plugins
Found this useful? Protect your WordPress install, keep everything updated, and always check that plugins use proper WordPress nonce and escaping functions!
References:
- Official NVD CVE record
- Patchstack Advisory
- WPScan details
- Fixed plugin at WordPress.org
Timeline
Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/21/2022 01:28:00 UTC