CVE-2026-9643
Deferred Deferred - Pending Action

Unauthenticated Stored XSS in WP Meta SEO Plugin

Vulnerability report for CVE-2026-9643, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-29

Assigner: Wordfence

Description

The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-29
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_meta_seo wp_meta_seo to 4.5.18 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP Meta SEO plugin for WordPress has a vulnerability known as Unauthenticated Stored Cross-Site Scripting (XSS) in all versions up to and including 4.5.18.

This vulnerability occurs because the plugin's `wpmsTemplateRedirect()` hook, when detecting a 404 error, concatenates the HTTP host with the raw request URI and inserts this combined value directly into the database without sanitization.

As a result, an unauthenticated attacker can inject malicious scripts via the REQUEST_URI server variable, which are then stored and executed whenever an administrator views the plugin's 404 & Redirects admin page.

Impact Analysis

This vulnerability can allow unauthenticated attackers to execute arbitrary scripts in the context of an administrator's browser.

Such script execution can lead to theft of administrator credentials, session hijacking, or unauthorized actions performed with administrator privileges.

Because the attack is stored, the malicious script persists and triggers every time the affected admin page is viewed, increasing the risk of compromise.

Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of an administrator's session. This can lead to unauthorized access or manipulation of sensitive data.

Such unauthorized access or data manipulation could potentially result in violations of data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the provided information does not explicitly detail the impact on compliance with these standards.

Detection Guidance

This vulnerability involves the WP Meta SEO plugin inserting unsanitized REQUEST_URI data into the database, which can be detected by monitoring for suspicious or unexpected script injections in the wp_wpms_links.link_url column.

To detect exploitation attempts, you can search your WordPress database for entries in the wp_wpms_links.link_url column containing suspicious script tags or unusual payloads.

  • Use a SQL query to find potential injected scripts: SELECT * FROM wp_wpms_links WHERE link_url LIKE '%<script>%';
  • Check web server logs for unusual or suspicious REQUEST_URI values that contain script tags or encoded payloads.
  • Monitor access to the admin page /wp-admin/admin.php?page=metaseo_broken_link for unexpected or unauthorized requests.
Mitigation Strategies

The immediate mitigation step is to update the WP Meta SEO plugin to a version later than 4.5.18 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the WordPress admin area, especially the 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link), to trusted users only.

Additionally, consider implementing Web Application Firewall (WAF) rules to block suspicious requests containing script injections in the REQUEST_URI.

Regularly audit and clean the wp_wpms_links.link_url database entries to remove any injected scripts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart