Skip to main content

WP Meta SEO EUVDEUVD-2026-38660

| CVE-2026-11370 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-24 Wordfence GHSA-pcx4-v3rh-gq5x
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network-reachable AJAX endpoint requires only contributor auth (PR:L); scope change to internal systems (S:C) is the key differentiator; no availability impact described.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:05 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 6.4

DescriptionCVE.org

The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.

AnalysisAI

Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the new_link parameter, with the response status code reflected back through the AJAX JSON response as status_code. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor-level WordPress credentials
Delivery
Submit crafted internal URL via `new_link` AJAX parameter
Exploit
Server issues server-side HTTP request to target
Execution
HTTP status code reflected in JSON response
Persist
Enumerate live internal hosts and cloud metadata paths
Impact
Extract cloud IAM credentials or internal service data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a contributor-level WordPress account on the target site - unauthenticated exploitation is not possible per the CVSS PR:L vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 score (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) captures the scope change to systems beyond WordPress itself, which is the realistic threat: the vulnerable WordPress instance becomes a pivot point into internal networks or cloud control planes. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contributor-level user on the target WordPress site submits a crafted AJAX request supplying an internal IP address (such as http://169.254.169.254/latest/meta-data/iam/security-credentials/) as the `new_link` parameter value. The WordPress server issues the outbound HTTP request and reflects the resulting status code in the JSON response, allowing the attacker to determine whether the endpoint is live. …
Remediation No specific patched version is confirmed from the available input data - organizations should monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/2a6e37c1-aaac-4642-bace-234bbc4f6c38 for a fix release and upgrade beyond 4.5.18 as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy