Skip to main content

Wp Meta Seo

2 CVEs product

Monthly

CVE-2026-9643 HIGH This Week

Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.

PHP WordPress XSS Wp Meta Seo
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-11370 MEDIUM This Month

Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the `new_link` parameter, with the response status code reflected back through the AJAX JSON response as `status_code`. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. No public exploit identified at time of analysis, though the vulnerability is confirmed by Wordfence with direct source code references and the technique is well-understood.

WordPress SSRF Oracle Wp Meta Seo
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.

PHP WordPress XSS +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the `new_link` parameter, with the response status code reflected back through the AJAX JSON response as `status_code`. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. No public exploit identified at time of analysis, though the vulnerability is confirmed by Wordfence with direct source code references and the technique is well-understood.

WordPress SSRF Oracle +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy