Vulnerabilities and security researches forwp-meta-seo wp-meta-seo

Direction: ascending

Jun 06, 2024

WP Meta SEO # CVE-2022-30337

CVE, Research URL: CVE-2022-30337
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Jul 21, 2022
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings.
Affected versions: max 4.4.9.
Status: vulnerable

WP Meta SEO # CVE-2023-1029

CVE, Research URL: CVE-2023-1029
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 25, 2023
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the regenerateSitemaps function. This makes it possible for unauthenticated attackers to regenerate Sitemaps via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 4.5.4.
Status: vulnerable

WP Meta SEO # CVE-2023-1023

CVE, Research URL: CVE-2023-1023
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 28, 2023
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the saveSitemapSettings function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to change sitemap-related settings of the plugin. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role.
Affected versions: max 4.5.4.
Status: vulnerable

WP Meta SEO # CVE-2023-1028

CVE, Research URL: CVE-2023-1028
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 28, 2023
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the setIgnore function. This makes it possible for unauthenticated attackers to update plugin options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 4.5.4.
Status: vulnerable

WP Meta SEO # CVE-2023-0876

CVE, Research URL: CVE-2023-0876
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Mar 20, 2023
Research Description: The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.
Affected versions: max 4.5.3.
Status: vulnerable

WP Meta SEO # CVE-2023-6961

CVE, Research URL: CVE-2023-6961
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: May 02, 2024
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Referer’ header in all versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 4.5.13.
Status: vulnerable

WP Meta SEO # CVE-2023-1026

CVE, Research URL: CVE-2023-1026
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 28, 2023
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the listPostsCategory function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to get post listings by category as long as those posts are published. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role.
Affected versions: max 4.5.4.
Status: vulnerable

WP Meta SEO # CVE-2023-1024

CVE, Research URL: CVE-2023-1024
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 28, 2023
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to generate sitemaps. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role.
Affected versions: max 4.5.4.
Status: vulnerable

WP Meta SEO # CVE-2023-1022

CVE, Research URL: CVE-2023-1022
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 28, 2023
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized options update due to a missing capability check on the wpmsGGSaveInformation function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to update google analytics options maintained by the plugin. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role.
Affected versions: max 4.5.4.
Status: vulnerable

WP Meta SEO # CVE-2023-1027

CVE, Research URL: CVE-2023-1027
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 28, 2023
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the checkAllCategoryInSitemap function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to obtain post categories. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role.
Affected versions: max 4.5.4.
Status: vulnerable

WP Meta SEO # CVE-2023-1381

CVE, Research URL: CVE-2023-1381
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Apr 10, 2023
Research Description: The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.
Affected versions: max 4.5.5.
Status: vulnerable

WP Meta SEO # CVE-2022-1093

CVE, Research URL: CVE-2022-1093
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: May 23, 2022
Research Description: The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed.
Affected versions: max 4.4.7.
Status: vulnerable

WP Meta SEO # CVE-2023-0875

CVE, Research URL: CVE-2023-0875
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Mar 20, 2023
Research Description: The WP Meta SEO WordPress plugin before 4.5.3 does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users.
Affected versions: max 4.5.3.
Status: vulnerable

WP Meta SEO # CVE-2023-6962

CVE, Research URL: CVE-2023-6962
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: May 02, 2024
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.12 via the meta description. This makes it possible for unauthenticated attackers to disclose potentially sensitive information via the meta description of password-protected posts.
Affected versions: max 4.5.13.
Status: vulnerable

Sep 15, 2024

WP Meta SEO # CVE-2024-45456

CVE, Research URL: CVE-2024-45456
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Sep 15, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JoomUnited WP Meta SEO wp-meta-seo allows Stored XSS.This issue affects WP Meta SEO: from n/a through <= 4.5.13.
Affected versions: max 4.5.14.
Status: vulnerable

WP Meta SEO # CVE-2024-45455

CVE, Research URL: CVE-2024-45455
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Sep 15, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JoomUnited WP Meta SEO wp-meta-seo allows Stored XSS.This issue affects WP Meta SEO: from n/a through <= 4.5.13.
Affected versions: max 4.5.14.
Status: vulnerable

Jun 16, 2026

WP Meta SEO # 254b20c7ff2f16f464a547cdbf84ab314a3580be

CVE, Research URL: 254b20c7ff2f16f464a547cdbf84ab314a3580be
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 22, 2023
Research Description: WP Meta SEO [wp-meta-seo] < 4.5.3 WP Meta SEO <= 4.5.2 - Authenticated (Subscriber+) SQL Injection The WP Meta SEO plugin for WordPress is vulnerable to SQL Injection via the ‘ids’ parameter in the bulkImageCopy function reachable via the wp_ajax_wpms AJAX action in versions up to, and including, 4.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Since the plugin relied on nonce checks as a means of access control, and that nonce was made accessible to all authenticated users regardless of role, the vulnerability could be exploited by asubscribers.
Affected versions: max 4.5.3.
Status: vulnerable

WP Meta SEO # 44a0394e04dc2c17db339b9fb2d8fc9ca9087b56

CVE, Research URL: 44a0394e04dc2c17db339b9fb2d8fc9ca9087b56
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 23, 2023
Research Description: WP Meta SEO [wp-meta-seo] < 4.5.3 WordPress WP Meta SEO Plugin <= 4.5.2 is vulnerable to SQL Injection Update the WordPress WP Meta SEO plugin to the latest available version (at least 4.5.3). WordFence discovered and reported this SQL Injection vulnerability in WordPress WP Meta SEO Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has been fixed in version 4.5.3.
Affected versions: max 4.5.3.
Status: vulnerable

WP Meta SEO # 4ac0913c16af784e4888952b6ae7c197711460e4

CVE, Research URL: 4ac0913c16af784e4888952b6ae7c197711460e4
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Feb 24, 2023
Research Description: WP Meta SEO [wp-meta-seo] < 4.5.3 WP Meta SEO <= 4.5.2 - Missing Authorization in 'startProcess' to Arbitrary Redirect via 'update_link_redirect' task The WP Meta SEO plugin for WordPress is vulnerable to unauthorized execution of tasks due to a missing capability check on the startProcess function in versions up to, and including, 4.5.2. This makes it possible for authenticated attackers with subscriber-level access to perform tasks reserved for administrators such as post modifications. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role. Attackers could leverage this to redirect victims to an arbitrary location by setting the link_redirect location through the update_link_redirect task.
Affected versions: max 4.5.3.
Status: vulnerable

Jun 25, 2026

WP Meta SEO # CVE-2026-11370

CVE, Research URL: CVE-2026-11370
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Jun 24, 2026
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.
Affected versions: max 4.5.18.
Status: vulnerable

WP Meta SEO # CVE-2026-9643

CVE, Research URL: CVE-2026-9643
Home page URL: Security reports for WP Meta SEO
Application: WP Meta SEO
Date: Jun 24, 2026
Research Description: The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).
Affected versions: max 4.5.18.
Status: vulnerable