cleantalk
Vulnerabilities and Security Researches

WP Meta SEO, CVE-2026-9643

CVE, Research URL

CVE-2026-9643

Home page URL

Security reports for WP Meta SEO

Application

WP Meta SEO

Published on
Jun 24, 2026
Research Description
The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).
Affected versions
max 4.5.18.
Status
vulnerable
Previous vulnerability researches
WP Meta SEO (CVE-2024-45456) , Sep 15, 2024
WP Meta SEO (CVE-2024-45455) , Sep 15, 2024
WP Meta SEO (CVE-2026-11370) , Jun 25, 2026
WP Meta SEO (CVE-2026-9643) , Jun 25, 2026
WP Meta SEO (254b20c7ff2f16f464a547cdbf84ab314a3580be) , Jun 16, 2026
New vulnerability
Post Duplicator (CVE-2026-10749) , Jun 26, 2026
Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking (CVE-2026-12937) , Jun 26, 2026
WP Meta SEO (CVE-2026-9643) , Jun 25, 2026
WP Meta SEO (CVE-2026-11370) , Jun 25, 2026
Bulk SEO Image (CVE-2026-11997) , Jun 25, 2026