Description
The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).
Published: 2026-06-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker without authentication to store malicious script code in the database by exploiting the plugin’s handling of a 404 request. When an administrator visits the plugin’s 404 & Redirects admin page, the unsanitized content stored from REQUEST_URI will be executed in the admin context, permitting arbitrary JavaScript execution, defacement, or credential theft. The weakness is a classic Stored Cross‑Site Scripting (CWE‑79) that compromises the integrity and confidentiality of the site.

Affected Systems

All releases of WP Meta SEO by joomunited from 4.5.0 through 4.5.18 are affected.

Risk and Exploitability

The CVSS score of 7.2 classifies it as High. EPSS data is not available, so exploitation probability cannot be quantified, but the issue is not listed in CISA KEV. Attack does not require authentication but relies on fostering a 404 condition by visiting a crafted URL. Once a malicious entry is stored, any user who subsequently views the plugin’s 404 & Redirects page will have the script executed, making it a serious risk for site administrators.

Generated by OpenCVE AI on June 24, 2026 at 09:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Meta SEO to version 4.5.19 or newer, where the handling of the REQUEST_URI has been secured.
  • If an immediate upgrade is not possible, disable the plugin’s 404 logging by removing or commenting out the wpmsTemplateRedirect() hook or editing the plugin file to eliminate the unauthenticated $wpdb->insert() of raw data.
  • Ensure that access to the 404 & Redirects admin page is restricted to authenticated administrators using strong credentials and, if feasible, enable two‑factor authentication to reduce the impact of any XSS exploitation.

Generated by OpenCVE AI on June 24, 2026 at 09:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomunited
Joomunited wp Meta Seo
Wordpress
Wordpress wordpress
Vendors & Products Joomunited
Joomunited wp Meta Seo
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).
Title WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Joomunited Wp Meta Seo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:29.486Z

Reserved: 2026-05-26T18:57:23.139Z

Link: CVE-2026-9643

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')