CVE-2026-25392 MEDIUM

CVE-2026-25392: WordPress Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress plugin <= 1.4.0 - Open Redirection vulnerability

Vendor Kaizencoders
Product Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress
Weakness CWE-601 · Open redirect
Published February 19, 2026
Last update April 28, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in KaizenCoders Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress update-urls allows Phishing.This issue affects Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress: from n/a through <= 1.4.3.

Explanation of Vulnerability in Simple Terms

02Summary

The Update URLs plugin for WordPress contains an open redirect vulnerability in versions up to 1.4.3. An attacker can craft a malicious link that redirects users to an external website when clicked. The vulnerability requires user interaction—a site visitor must click the attacker's link. While the redirect itself doesn't directly compromise the site, it can be used in phishing attacks to steal credentials or distribute malware.

What an attacker can do

03Attacker Capabilities

Redirect site visitors to a malicious external website via a crafted link.

Potential impact on your site

04Site Impact

Your site could be used to phish visitors or distribute malware if attackers craft redirect links pointing to your site.

Conditions required to exploit

05Prerequisites

No authentication required. The victim must click an attacker-supplied link.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 28, 2026 Record updated