CVE-2026-9643 in WP Meta SEO Plugin
Summary
by MITRE • 06/24/2026
The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/24/2026
The WP Meta SEO plugin for WordPress presents a critical security vulnerability classified as Unauthenticated Stored Cross-Site Scripting that affects all versions up to and including 4.5.18. This flaw resides in the plugin's handling of 404 error responses through its wpmsTemplateRedirect() hook implementation. The vulnerability stems from improper input validation and sanitization of server variables, creating an attack vector that allows remote unauthenticated adversaries to execute malicious scripts within the context of administrator sessions.
The technical exploitation occurs when the plugin processes 404 errors by concatenating the HTTP_HOST server variable with the raw REQUEST_URI server variable without adequate sanitization. This concatenated value is then inserted verbatim into the wp_wpms_links.link_url database column using the WordPress $wpdb->insert() method, bypassing standard security filters and validation mechanisms. The vulnerability leverages the fact that REQUEST_URI contains user-controlled input that can be manipulated to include malicious script code, which gets stored in the database and subsequently executed when administrators access the plugin's 404 & Redirects admin page at /wp-admin/admin.php?page=metaseo_broken_link.
The operational impact of this vulnerability is severe as it enables attackers to execute arbitrary web scripts in the context of administrator sessions without requiring authentication or prior access to the WordPress installation. This creates a persistent threat where malicious payloads can remain active for extended periods, potentially allowing attackers to escalate privileges, steal session cookies, perform administrative actions, or redirect users to malicious websites. The stored nature of the vulnerability means that even if the initial attack vector is closed, the malicious scripts will continue to execute whenever administrators view the affected admin page, making it particularly dangerous for high-privilege accounts.
Security professionals should implement immediate mitigations including updating to patched versions of the WP Meta SEO plugin, implementing web application firewalls to filter suspicious REQUEST_URI content, and monitoring database tables for malicious entries. The vulnerability aligns with CWE-79 (Cross-Site Scripting) and follows ATT&CK technique T1566 (Phishing) where attackers can use stored XSS to establish persistent access through administrator sessions. Organizations should also consider implementing input validation at multiple layers including server-side sanitization of HTTP_HOST and REQUEST_URI variables, regular database monitoring for malicious content, and privileged account protection measures such as multi-factor authentication to reduce the impact if exploitation occurs.
The vulnerability demonstrates the critical importance of proper input sanitization in web applications, particularly when handling server variables that may contain user-controllable data. It highlights how seemingly innocuous operations like logging 404 errors can become attack vectors when proper security controls are not implemented. Organizations should conduct comprehensive security audits of their WordPress installations to identify similar vulnerabilities in other plugins and themes, as this pattern of improper input handling is common in web applications. Additionally, implementing security awareness training for administrators about the risks of viewing suspicious links and maintaining up-to-date security monitoring systems can help detect and respond to exploitation attempts more effectively.
The risk assessment indicates this vulnerability should be treated as high severity due to its unauthenticated nature and potential for privilege escalation. The combination of stored XSS capabilities with access to administrative interfaces creates a significant threat landscape where attackers can potentially gain complete control over WordPress installations. Regular security assessments, automated vulnerability scanning, and prompt patch management processes are essential defensive measures that should be implemented immediately to address this vulnerability across all affected systems.