Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Network-reachable AJAX endpoint requires only contributor auth (PR:L); scope change to internal systems (S:C) is the key differentiator; no availability impact described.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.
AnalysisAI
Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the new_link parameter, with the response status code reflected back through the AJAX JSON response as status_code. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum a contributor-level WordPress account on the target site - unauthenticated exploitation is not possible per the CVSS PR:L vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 score (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) captures the scope change to systems beyond WordPress itself, which is the realistic threat: the vulnerable WordPress instance becomes a pivot point into internal networks or cloud control planes. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contributor-level user on the target WordPress site submits a crafted AJAX request supplying an internal IP address (such as http://169.254.169.254/latest/meta-data/iam/security-credentials/) as the `new_link` parameter value. The WordPress server issues the outbound HTTP request and reflects the resulting status code in the JSON response, allowing the attacker to determine whether the endpoint is live. … |
| Remediation | No specific patched version is confirmed from the available input data - organizations should monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/2a6e37c1-aaac-4642-bace-234bbc4f6c38 for a fix release and upgrade beyond 4.5.18 as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Meta Seo
View allSame weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38660
GHSA-pcx4-v3rh-gq5x