Authenticated settings change vulnerability in WordPress Quick Page/Post Redirect plugin (unpatched).

This plugin is not maintained any longer and the vulnerability has never been fixed. Make sure to follow the recommendations below.

Quick Page/Post Redirect, a WordPress plugin with 200,000+ active installations, is prone to an authenticated settings change vulnerability in version 5.1.9 and below.

A lack of capability check and a weak security nonce could allow a low-privileged user such as a contributor to interact with the plugin settings and to create a redirect link that would forward all traffic to an external malicious website. Redirections are performed via the “Location” header:

$ curl -I
HTTP/1.1 301 Moved Permanently
Date: Mon, 17 Feb 2020 15:44:05 GMT
RedirectType: Quick Page Post Redirect - Quick
X-Redirect-By: WordPress

Additional issues were also found in the plugin however, because they won’t be fixed, we won’t provide more details.


We discovered the vulnerability and reported it to the author, unsuccessfully, on February 17th, 2020. The plugin was removed from the repo on February 28th, 2020.


We recommend to uninstall this plugin as there isn’t any security patch available. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet