CVE Catalog

CVE-2026-9643

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

The WP Meta SEO plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting via the REQUEST_URI server variable in all versions up to and including 4.5.18. The plugin directly inserts unsanitized HTTP_HOST and REQUEST_URI data into the database, allowing arbitrary script injection.

Risk Assessment

An attacker can inject malicious scripts that execute in the administrator's browser when viewing the 404 & Redirects admin page, potentially leading to session hijacking, content manipulation, or privilege escalation.

Recommendation

Update the WP Meta SEO plugin to the latest patched version immediately. As a temporary measure, consider disabling the plugin or implementing WAF rules to block suspicious requests.

Original NVD description (English source)

The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS