CVE-2026-32541 identifies a missing authorization vulnerability in the Premmerce Redirect Manager plugin, specifically affecting versions up to and including 1.0.12. The vulnerability arises from incorrectly configured access control security levels, which fail to properly restrict unauthorized users from performing sensitive actions within the plugin. Premmerce Redirect Manager is a WordPress plugin used to manage URL redirects, a critical function for SEO and site navigation. Due to the missing authorization checks, an attacker could exploit this flaw to manipulate redirect rules without proper permissions. This could lead to malicious redirects, phishing, or redirecting users to harmful sites, thereby compromising user trust and potentially exposing users to further attacks. The vulnerability does not require user interaction but likely requires the attacker to have some level of access to the WordPress environment, such as being able to send crafted requests to the plugin’s endpoints. No CVSS score has been assigned yet, and no public exploits are known at this time. The issue was reserved and published in March 2026 by Patchstack. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for vigilance and interim protective measures.

The primary impact of this vulnerability is unauthorized access to redirect management functionality, which can compromise the integrity and availability of website navigation. Attackers could redirect legitimate traffic to malicious or phishing sites, damaging the reputation of affected organizations and potentially leading to data theft or malware distribution. For e-commerce or content-driven websites, this could result in loss of customer trust, revenue, and SEO penalties. Since redirects are often critical for site operations, unauthorized changes could disrupt user experience and availability. The vulnerability could also be leveraged as part of a larger attack chain, facilitating further exploitation or lateral movement within the affected environment. Organizations worldwide using Premmerce Redirect Manager are at risk, especially those with high web traffic or sensitive user data. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once details become widely known.

Organizations should immediately audit their use of Premmerce Redirect Manager and identify if they are running affected versions (up to 1.0.12). Until an official patch is released, restrict access to the WordPress admin panel and plugin endpoints to trusted users only, using IP whitelisting or VPNs where possible. Implement Web Application Firewall (WAF) rules to detect and block unauthorized attempts to access redirect management functions. Monitor logs for unusual redirect rule changes or suspicious activity. Educate administrators on the risk and enforce strong authentication and authorization policies. Once a patch is available, apply it promptly. Additionally, consider isolating the plugin’s functionality or disabling it temporarily if it is not critical, to reduce the attack surface. Regularly update all plugins and WordPress core to minimize exposure to similar vulnerabilities.