CVE-2026-9643 - Vulnerability Details

The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/inc/class.metaseo-broken-link-table.php#L894
https://plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/wp-meta-seo.php#L1135
https://plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/wp-meta-seo.php#L1171
https://plugins.trac.wordpress.org/changeset?old_path=/wp-meta-seo/tags/4.5.12&new_path=/wp-meta-seo/tags/4.5.13
https://ti.wordfence.io/vulnerabilities/ca91e41d-b728-4eb0-86d5-043813d8c2c1
https://www.wordfence.com/threat-intel/vulnerabilities/id/beceb218-34bf-4571-a07b-939abc7ead8e?source=cve

History

Wed, 24 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).
Title		WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/inc/class.metaseo-broken-link-table.php#L894 https://plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/wp-meta-seo.php#L1135 https://plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/wp-meta-seo.php#L1171 https://plugins.trac.wordpress.org/changeset?old_path=/wp-meta-seo/tags/4.5.12&new_path=/wp-meta-seo/tags/4.5.13 https://ti.wordfence.io/vulnerabilities/ca91e41d-b728-4eb0-86d5-043813d8c2c1 https://www.wordfence.com/threat-intel/vulnerabilities/id/beceb218-34bf-4571-a07b-939abc7ead8e?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-24T05:33:29.486Z

Updated: 2026-06-24T05:33:29.486Z

Reserved: 2026-05-26T18:57:23.139Z

Link: CVE-2026-9643

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object