How is CVE-2026-52702 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends a crafted HTTP request to the exposed WordPress installation. Authentication (not-required): No account or credentials of any kind are needed; the vulnerability is exploitable by any unauthenticated visitor. Victim interaction (required): A victim must follow a malicious link or visit a crafted page that triggers the injected script in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond delivering the malicious payload to the victim.

What is the impact of CVE-2026-52702?

An attacker executes arbitrary JavaScript in the victim's browser session, reading stored cookies including session tokens tied to the WordPress admin or logged-in user account. Confidential page content visible to the victim, such as draft posts, user profile data, or plugin configuration values, is exposed to the attacker-controlled script. The injected script can submit authenticated WordPress actions on behalf of the victim, modifying site content, creating accounts, or changing plugin settings. The integrity of the rendered page is compromised; the attacker can deface visible content or redirect the victim to a phishing site.

Back to search

HIGHCVE-2026-52702Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-52702: WordPress SEO Redirection plugin <= 9.17 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-52702?

This is a reflected or stored Cross-Site Scripting (XSS) vulnerability in the SEO Redirection plugin for WordPress, affecting versions 9.17 and below. It is reachable over the network, requires no authentication, but does require a victim to interact with a crafted link or page. Successful exploitation allows an attacker to inject and run arbitrary JavaScript in a victim's browser, enabling session hijacking, credential theft, or unauthorized actions taken on behalf of the victim. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-52702 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated version of the SEO Redirection plugin.

Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored Cross-Site Scripting (XSS) vulnerability in the SEO Redirection plugin for WordPress, affecting versions 9.17 and below. It is reachable over the network, requires no authentication, but does require a victim to interact with a crafted link or page. Successful exploitation allows an attacker to inject and run arbitrary JavaScript in a victim's browser, enabling session hijacking, credential theft, or unauthorized actions taken on behalf of the victim. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-52702 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and vendor advisories. Coverage extends to custom-built images that bundle the SEO Redirection plugin, whether sourced from official WordPress repositories or vendored directly into a container.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.1 (HIGH), weighted further against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules for WordPress-based workloads.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated version of the SEO Redirection plugin.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends a crafted HTTP request to the exposed WordPress installation.
AuthenticationNot required
No account or credentials of any kind are needed; the vulnerability is exploitable by any unauthenticated visitor.
Victim interactionRequired
A victim must follow a malicious link or visit a crafted page that triggers the injected script in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond delivering the malicious payload to the victim.

Blast Radius

An attacker executes arbitrary JavaScript in the victim's browser session, reading stored cookies including session tokens tied to the WordPress admin or logged-in user account.
Confidential page content visible to the victim, such as draft posts, user profile data, or plugin configuration values, is exposed to the attacker-controlled script.
The injected script can submit authenticated WordPress actions on behalf of the victim, modifying site content, creating accounts, or changing plugin settings.
The integrity of the rendered page is compromised; the attacker can deface visible content or redirect the victim to a phishing site.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-52702 is active across all customer environments, matching any image that packages the SEO Redirection plugin at version 9.17 or below. Because no upstream fix has been published as of the CVE record date, HarborGuard monitors the Patchstack and NVD advisory feeds on every ingest cycle and will surface a patched-image rebuild automatically when the maintainer releases a remediated version. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict public HTTP access to WordPress admin surfaces, egress filtering to block outbound requests from compromised containers, and flagging affected images for manual review in environments where the plugin is active. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention the moment a fix version is available upstream.

See how HarborGuard automates this

Affected packages

wp-buy / SEO Redirection
≤ 9.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified