CVE-2020-36699 in Quick Page-Post Redirect Plugin
Summary
by MITRE • 06/07/2023
The Quick Page/Post Redirect Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the qppr_save_quick_redirect_ajax and qppr_delete_quick_redirect functions in versions up to, and including, 5.1.9. This makes it possible for low-privileged attackers to interact with the plugin settings and to create a redirect link that would forward all traffic to an external malicious website.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The Quick Page/Post Redirect Plugin for WordPress represents a widely used tool for managing URL redirects within WordPress environments, yet it contained a critical authorization bypass vulnerability that exposed systems to significant security risks. This vulnerability specifically affected versions up to and including 5.1.9, where the plugin failed to implement proper capability checks for critical administrative functions. The flaw resides in the qppr_save_quick_redirect_ajax and qppr_delete_quick_redirect functions, which are designed to handle AJAX requests for saving and deleting redirect rules. These functions lack the necessary user permission validation that should prevent unauthorized access to administrative features, creating a pathway for attackers with minimal privileges to escalate their access within the WordPress environment.
The technical implementation of this vulnerability stems from the absence of capability verification within the plugin's AJAX handling mechanisms. When users interact with the plugin's administrative interface, these functions are called to process redirect modifications without confirming whether the requesting user possesses the appropriate permissions. This design flaw allows low-privileged users, such as subscribers or contributors who typically lack administrative capabilities, to execute redirect operations that should only be available to administrators or editors. The vulnerability directly maps to CWE-863, which addresses "Incorrect Authorization" in software systems, specifically targeting the failure to properly validate user permissions before executing privileged operations. Attackers can exploit this weakness by crafting malicious AJAX requests that leverage the vulnerable functions to establish unauthorized redirect rules, potentially compromising the entire website's traffic flow.
The operational impact of this authorization bypass vulnerability extends beyond simple privilege escalation, creating a vector for more sophisticated attacks within the WordPress ecosystem. Once attackers gain the ability to modify redirect settings, they can redirect all website traffic to malicious domains, potentially leading to phishing campaigns, malware distribution, or data exfiltration. The vulnerability creates a persistent threat that can remain undetected for extended periods, as the redirect modifications appear to be legitimate administrative actions. This type of attack aligns with ATT&CK technique T1071.004, which covers "Application Layer Protocol: DNS" and can be leveraged for malicious redirect activities. The compromised website becomes a potential staging ground for further attacks, allowing threat actors to establish persistence, conduct credential theft, or use the platform as a launchpad for targeting other systems within the network infrastructure.
Organizations affected by this vulnerability should implement immediate remediation measures, including upgrading to the latest version of the Quick Page/Post Redirect Plugin where the authorization checks have been properly implemented. Security teams should conduct comprehensive audits of their WordPress installations to identify any instances of the vulnerable plugin version and verify that appropriate capability checks are in place for all administrative functions. Network monitoring should be enhanced to detect unusual redirect patterns that might indicate exploitation attempts, while access logs should be reviewed for unauthorized administrative activities. The vulnerability serves as a reminder of the critical importance of proper input validation and capability checks in web applications, particularly in content management systems where plugins often extend administrative functionality. Organizations should also consider implementing additional security layers such as web application firewalls and privileged access management solutions to provide defense-in-depth against similar authorization bypass scenarios.