How is CVE-2026-49067 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the WordPress site to trigger the injection. Authentication (not-required): No account or session token is needed; the injection can be triggered by any unauthenticated HTTP request. Victim interaction (not-required): No user action is required; the attacker interacts directly with the server without involving any logged-in user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special timing, or knowledge of environment-specific values.

What is the impact of CVE-2026-49067?

An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and any plugin-persisted customer data. Because the scope token is Changed (S:C), database reads can extend beyond the plugin's own data to other tables or schemas accessible to the database user, depending on database configuration. Service availability is partially degraded; malformed or resource-intensive SQL queries can slow or crash database-dependent page loads, affecting site uptime.

Back to search

CRITICALCVE-2026-49067Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49067: WordPress Advanced 301 and 302 Redirect plugin <= 1.6.9 - SQL Injection vulnerability

Q: What is CVE-2026-49067?

An unauthenticated SQL injection vulnerability affects the WordPress plugin Advanced 301 and 302 Redirect at version 1.6.9 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any remote visitor can send a crafted request directly to the affected endpoint. Successful exploitation reads data from the underlying database and can partially disrupt service availability. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a patch.

Q: Is CVE-2026-49067 patched?

Because no fix version exists for CVE-2026-49067, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment yydevelopment publishes a remediated release. In the interim, compensating-control recommendations (described below) are surfaced to customers running affected images.

Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WordPress plugin Advanced 301 and 302 Redirect at version 1.6.9 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any remote visitor can send a crafted request directly to the affected endpoint. Successful exploitation reads data from the underlying database and can partially disrupt service availability. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a patch.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-49067 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle this plugin. Coverage applies regardless of whether the image was pulled from a public registry or built internally.

Available

Triage

HarborGuard scores this CVE at CVSS 9.3 Critical and surfaces it accordingly in each customer's vulnerability dashboard, with per-environment compliance policy weighting applied to prioritize it relative to other open findings. Routing rules direct the alert to the team or inbox configured in each customer org for critical-severity WordPress or web-application findings.

Available

Patch

Because no fix version exists for CVE-2026-49067, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment yydevelopment publishes a remediated release. In the interim, compensating-control recommendations (described below) are surfaced to customers running affected images.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the WordPress site to trigger the injection.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by any unauthenticated HTTP request.
Victim interactionNot required
No user action is required; the attacker interacts directly with the server without involving any logged-in user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special timing, or knowledge of environment-specific values.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and any plugin-persisted customer data.
Because the scope token is Changed (S:C), database reads can extend beyond the plugin's own data to other tables or schemas accessible to the database user, depending on database configuration.
Service availability is partially degraded; malformed or resource-intensive SQL queries can slow or crash database-dependent page loads, affecting site uptime.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-49067 as of the publication date, HarborGuard continuously monitors the Patchstack advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment yydevelopment releases a fix. For customers with auto-remediation enabled, the rebuild, regression-test run, and a PR opened against affected workloads will trigger without manual intervention once a fix version is published. While no patch is available, HarborGuard surfaces compensating-control recommendations for affected environments: applying a web application firewall (WAF) rule to block or sanitize requests hitting the redirect plugin's endpoints, enforcing network-policy isolation so the WordPress container cannot make outbound database calls beyond its required scope, and where feasible, disabling or removing the plugin until a patch ships. Critical-severity advisories without a fix are flagged for continuous re-evaluation so the patched rebuild reaches customers with minimal delay after upstream remediation.

See how HarborGuard automates this

Affected packages

yydevelopment / Advanced 301 and 302 Redirect
≤ 1.6.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified