BetterLinks patches severe vulnerabilities in Simple 301 redirects Plugin

Recently, Wordfence’s Threat Intelligence team announced details about a vulnerability found and patched in the BetterLinks’ Simple 301 Redirects plugin, which is used by over 300K WordPress websites.

A vulnerability in the site made it possible for unauthenticated users to update redirects, which allowed an attacker to redirect all site traffic to a malicious site external to the site. The remaining flaws allowed authenticated users to install and activate plugins and perform other less critical actions.

BetterLinks’ Simple 301 Redirects plugin allows WordPress sites to create 301 redirects. As part of version 2.0.0, the plugin was enhanced, and several new features were added. The update included a new feature that allowed users to import and export redirects. Unfortunately, a security hole was found in this functionality.

Simple 301 redirects Plugin vulnerability patchstack

This vulnerability is rated as ‘Critical‘ on PatchStack (Score: 9.9). By exploiting this vulnerability, an authenticated attacker could install and activate any plugin. Additionally, there is a possibility of one with a more severe vulnerability in order to infect the vulnerable site further and escalate privileges.

Wordfence Threat Intelligence contacted the plugin’s developer on April 8, 2021. As soon as the appropriate communication channel had been established, the full disclosure details were provided on April 11, 2021.

The first patch for the plugin was released on April 15, 2021, and the final patch was released as version 2.0.4 on May 5, 2021.

We strongly recommend you to update the WordPress Simple 301 Redirects by BetterLinks plugin to the latest available version (at least v2.0.4) to keep your website safe from attackers.

Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.