vulnerability
WordPress Plugin: redirection: CVE-2018-1000504: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Jul 12, 2018 | May 15, 2025 | May 5, 2026 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Jul 12, 2018
Added
May 15, 2025
Modified
May 5, 2026
Description
Redirection version 2.7.3 contains a ACE via file inclusion vulnerability in Pass-through mode that can result in allows admins to execute any PHP file in the filesystem. This attack appear to be exploitable via Attacker must be have access to an admin account on the target site. This vulnerability appears to have been fixed in 2.8.
Solution
redirection-plugin-cve-2018-1000504
References
- https://www.cve.org/CVERecord?id=CVE-2018-1000504
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6e81cbe3-1310-4f6f-ae42-8d09b321657a?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2018-1902
- CVE-2018-100050
- https://attackerkb.com/topics/CVE-2018-100050
- CWE-601
- EUVD-EUVD-2018-1902
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.