What the vulnerability does
01Description
The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.
Explanation of Vulnerability in Simple Terms
02Summary
WP Meta SEO versions up to 4.5.18 contain a server-side request forgery vulnerability that allows authenticated users to make the site send HTTP requests to internal or external systems on the attacker's behalf. The vulnerability requires a logged-in account with low privileges and affects the confidentiality and integrity of data accessible through those requests. No user interaction is needed once authenticated.
What an attacker can do
03Attacker Capabilities
Make the site send HTTP requests to internal systems or external servers to read data or perform actions.
Potential impact on your site
04Site Impact
Authenticated attackers can access internal services, read sensitive data, or trigger actions on behalf of your site.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the WordPress site.
Key dates
06Disclosure timeline
June 24, 2026
CVE published
June 29, 2026
Record updated
