CVE-2026-9643
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
The WP Meta SEO plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting via the REQUEST_URI server variable in all versions up to and including 4.5.18. The plugin directly inserts unsanitized HTTP_HOST and REQUEST_URI data into the database, allowing arbitrary script injection.
Risk Assessment
An attacker can inject malicious scripts that execute in the administrator's browser when viewing the 404 & Redirects admin page, potentially leading to session hijacking, content manipulation, or privilege escalation.
Recommendation
Update the WP Meta SEO plugin to the latest patched version immediately. As a temporary measure, consider disabling the plugin or implementing WAF rules to block suspicious requests.
Original NVD description (English source)
The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).

