Description
The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.
Published: 2026-06-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the WP Meta SEO WordPress plugin, affecting all releases up to version 4.5.18. An authenticated user with contributor‑level or higher privileges can manipulate the "new_link" parameter in an AJAX call, causing the server to issue arbitrary HTTP requests to any URL. The plugin then returns the HTTP response status in the JSON reply, allowing an attacker to enumerate internal hosts or cloud metadata endpoints and potentially read or alter internal data. This flaw is identified as CWE‑918 and provides a moderate‑risk path for internal network reconnaissance and data exfiltration.

Affected Systems

Systems running WordPress with the WP Meta SEO plugin, versions 4.5.18 and earlier. The plugin is developed by joomunited and distributed under the WP Meta SEO product name.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity flaw, and the EPSS score is not available, suggesting limited public exploitation data. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the site and hold at least contributor privileges; no remote initiation from outside the site is required. Once authenticated, they can craft URLs to probe internal services or cloud metadata, leading to information disclosure or further compromise.

Generated by OpenCVE AI on June 24, 2026 at 09:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Meta SEO to a version newer than 4.5.18, completing the official vendor patch.
  • If an upgrade is infeasible, reduce the site’s contributor role privileges or remove contributor access from the affected user base to limit the attack surface.
  • Deploy a web application firewall rule or use a security plugin to block or inspect outbound HTTP requests originating from the "new_link" parameter to prevent exploitation.

Generated by OpenCVE AI on June 24, 2026 at 09:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.
Title WP Meta SEO <= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new_link' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:23.066Z

Reserved: 2026-06-05T12:01:15.956Z

Link: CVE-2026-11370

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)