Redirection is a WordPress plugin to manage 301 redirections and keep track of 404 errors without requiring knowledge of Apache .htaccess files.

More information »

Use with caution

Confidence: Medium This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings.

More information about this recommendation

Warning: old version

This recommendation applies to version 2.5 of this plugin, but the most recent version is 3.0. These findings may no longer be correct.


  • Trusts the value of $_SERVER['HTTP_X_FORWARDED_FOR'] as a source for the user’s IP address. This means that if the server does not strip or replace that value before passing it to PHP, unauthenticated users can insert arbitrary strings into the IP address field of the logs
  • Note that the IP address field is created as varchar(17) so most unauthenticated users connecting to the site via IPv6 will not have their IP addresses recorded in the database
  • The above two issues are probably not security issues so long as the logs generated by this plugin are not used for security purposes
  • Contains a “pass through” mode where the plugin makes an HTTP request to a target URL and then displays the returned content as HTML. It is unclear what utility this feature serves, and it allows admins to seriously compromise the security of the site by including arbitrary HTML from potentially untrusted third parties

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Allows admin users to embed arbitrary HTML from any third party with a website, without providing any warning about how dangerous this feature is.

Read more about our failure criteria.

Fail Lack of proper output escaping

We conduct these inspections for our own use, and publish them in the hope that they may be useful to others. We don't guarantee that these findings are correct.

Please read this site's terms of service before taking any action based on information published here.

Tom Adams
Last revised
June 16, 2017
Versions tested
Plugin homepage
Other versions

None listed