CVE-2026-9643 HIGH

CVE-2026-9643: WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging

Vendor Joomunited
Product WP Meta SEO
Weakness CWE-79 · XSS
Published June 24, 2026
Last update June 29, 2026
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).

Key dates

02Disclosure timeline

June 24, 2026 CVE published
June 29, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-0967 Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in star7th/showdoc CVE-2024-35732 WordPress YITH Custom Login plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability CVE-2022-43480 WordPress Homepage Pop-up Plugin <= 1.2.5 is vulnerable to Cross Site Scripting (XSS) CVE-2025-24617 WordPress AcyMailing Plugin < 9.11.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-8916 Suki Sites Import <= 1.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload