Description
The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-29
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Meteor Website Speed Optimization Addon plugin for WordPress contains a flaw in its frontend_rewrite function that fails to sanitise or escape the placeholder content "WPMETEOR[N]WPMETEOR". Untrusted input such as comment submissions can be used to store JavaScript code in the system. When a page containing the placeholder is rendered, the stored script executes in the browsers of any visitor, giving the attacker the ability to hijack sessions, exfiltrate data or deliver further malicious payloads. This is a classic client‑side injection weakness identified as CWE‑79.

Affected Systems

WordPress sites that have installed the WP Meteor Website Speed Optimization Addon plugin in any version up to and including 3.4.16. The issue applies to all WordPress environments that support this plugin; no specific WordPress core version is singled out. All installations running a vulnerable plugin version are exposed.

Risk and Exploitability

The vulnerability has a CVSS score of 6.1, indicating moderate severity. The EPSS score is very low (<1%), and the exploit is not listed in the CISA KEV catalog. The attack surface is remote, as any external input that feeds the frontend_rewrite logic can be abused, and the flaw is exploitable by unauthenticated users, so an attacker needs only to craft a malicious comment or form submission.

Generated by OpenCVE AI on April 29, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Meteor Website Speed Optimization Addon to the latest released version—any version newer than 3.4.16 will contain the XSS fix
  • If an upgrade is not immediately possible, contact the plugin author or vendor for a patch or temporary mitigation guidance
  • Apply input validation or output encoding on comment fields (or any form that reaches the plugin’s rewrite logic) to ensure script tags are stripped or safely encoded, following best practices for CWE‑79

Generated by OpenCVE AI on April 29, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Aguidrevitch
Aguidrevitch wp Meteor Website Speed Optimization Addon
Wordpress
Wordpress wordpress
Vendors & Products Aguidrevitch
Aguidrevitch wp Meteor Website Speed Optimization Addon
Wordpress
Wordpress wordpress

Wed, 29 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Meteor Website Speed Optimization Addon <= 3.4.16 - Unauthenticated Stored Cross-Site Scripting via Comment
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Aguidrevitch Wp Meteor Website Speed Optimization Addon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-29T15:09:40.541Z

Reserved: 2026-02-20T19:51:33.715Z

Link: CVE-2026-2902

cve-icon Vulnrichment

Updated: 2026-04-29T14:58:57.661Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T12:16:18.753

Modified: 2026-04-29T21:16:21.590

Link: CVE-2026-2902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:30:20Z

Weaknesses