Redirection Vulnerability – Missing Authorization – CVE-2024-31435 | WordPress Plugin Vulnerability Report 

Plugin Name: Redirection

Key Information:

  • Software Type: Plugin
  • Software Slug: redirect-redirection
  • Software Status: Active
  • Software Author: inisev
  • Software Downloads: 329,941
  • Active Installs: 60,000
  • Last Updated: April 22, 2024
  • Patched Versions: 1.2.0
  • Affected Versions: <= 1.1.9

Vulnerability Details:

  • Name: Inisev Analyst Module <= 1.1.9
  • Title: Missing Authorization
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • CVE: CVE-2024-31435
  • CVSS Score: 4.3
  • Publicly Published: April 10, 2024
  • Researcher: Dhabaleshwar Das
  • Description: The Redirection plugin, along with multiple other plugins and/or themes by Inisev, are vulnerable to unauthorized access due to a missing capability check on several functions in various versions. This security gap allows authenticated attackers, with subscriber-level access and above, to perform unauthorized actions within the WordPress site.

Summary:

The Redirection plugin for WordPress has a vulnerability in versions up to and including 1.1.9 that allows authenticated attackers to perform unauthorized actions due to missing authorization checks. This vulnerability has been patched in version 1.2.0.

Detailed Overview:

This vulnerability, identified by security researcher Dhabaleshwar Das, affects the Inisev Analyst Module integrated within the Redirection plugin. The issue arises from insufficient security measures wherein certain functions lacked proper capability checks, thereby permitting low-level users, such as subscribers, to execute actions typically reserved for higher-privileged users. The potential risks include unauthorized modifications to redirection rules, which could redirect users to malicious sites or interfere with the website’s normal operations. Patching this vulnerability was crucial to prevent possible exploitation that could compromise site integrity and user trust.

Advice for Users:

  • Immediate Action: It is crucial for users to update their Redirection plugin to the patched version, 1.2.0, immediately to mitigate any risks associated with this vulnerability.
  • Check for Signs of Vulnerability: Website administrators should review their site logs for any unauthorized or unusual activities, particularly related to redirection settings or other site modifications.
  • Alternate Plugins: Users concerned about ongoing security might consider evaluating other highly rated redirection plugins that have demonstrated robust security practices.
  • Stay Updated: Maintaining the latest versions of all installed plugins and themes is vital for securing WordPress installations against known vulnerabilities.

Conclusion:

The swift resolution provided by the developers of the Redirection plugin in response to the discovered security flaw highlights the importance of timely software updates. Users are encouraged to install version 1.2.0 or later of the Redirection plugin to ensure their sites remain secure against unauthorized access and manipulations.

References:

Detailed Report: 

In the digital landscape, the security of your WordPress website is paramount. This truth is underscored by the recent discovery of a critical vulnerability in the widely used Redirection plugin, which has highlighted the ongoing challenge of maintaining secure digital environments. The vulnerability, identified as CVE-2024-31435, has exposed a missing authorization check within the plugin that could allow low-level users, such as subscribers, to perform actions that should be restricted to higher-level administrators. This flaw not only jeopardizes the integrity of affected websites but also poses a risk to user data and overall site functionality.

Detailed Overview:

The issue was first identified by researcher Dhabaleshwar Das, who noted that the Redirection plugin failed to adequately secure several critical functions, thereby permitting authenticated users at almost any level to manipulate the redirection rules without proper authorization. This type of vulnerability is particularly dangerous because it can be exploited to redirect visitors to harmful sites, compromise user sessions, or manipulate website content without the site owner's knowledge.

Previous Vulnerabilities:

Since February 21, 2023, the Redirection plugin has encountered 29 reported vulnerabilities, underscoring the need for continuous vigilance and timely updates to safeguard against potential threats.

Conclusion:

The swift response by the developers of the Redirection plugin to address and patch this vulnerability highlights the critical nature of timely software updates in maintaining site security. Users are strongly advised to upgrade to version 1.2.0 or later to ensure their WordPress installations remain secure against unauthorized access and manipulations.

Final Thoughts:

For small business owners, managing a WordPress website can be challenging, especially when it comes to staying on top of security updates. However, the cost of ignoring such updates can be far greater than the time invested in keeping your site secure. Implementing a routine for regular updates, utilizing automated tools, and subscribing to security advisories can greatly reduce your site's vulnerability to attacks, helping you maintain a secure and trustworthy online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Redirection Vulnerability – Missing Authorization – CVE-2024-31435 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment