CVE-2026-11370 joomunited CVE debrief

Who should care

WP Meta SEO users, WordPress administrators, security teams, and organizations using the WP Meta SEO plugin should be aware of this vulnerability. This vulnerability can be used to probe internal hosts and cloud metadata services, potentially leading to further attacks. Security teams should prioritize patching this vulnerability to prevent potential exploitation.

Technical summary

The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of proper validation in the 'new_link' parameter. An authenticated attacker with contributor-level access can make web requests to arbitrary locations, which can be used to query and modify information from internal services. The vulnerability has a CVSS score of 6.4 and a CVSS severity of MEDIUM. The vulnerability was publicly disclosed on June 24, 2026, and the CVE record was last modified on June 25, 2026.

Defensive priority

Patching this vulnerability is of medium priority. WP Meta SEO users should update to a patched version as soon as possible to prevent potential exploitation.

Recommended defensive actions

• Update WP Meta SEO to a patched version
• Review plugin configurations and ensure only authorized users have contributor-level access or above
• Monitor plugin logs for suspicious activity
• Implement additional security measures to detect and prevent SSRF attacks
• Verify internal services and cloud metadata services are properly secured

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and severity. The source item URL provides additional information on the vulnerability, including references to the vulnerable code. The CVE record was last modified on June 25, 2026, indicating that the vulnerability is actively being monitored and updated.

Official resources