PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9643 joomunited CVE debrief

The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. The plugin's `wpmsTemplateRedirect()` hook detects a 404 and concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']`, inserting the value into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This allows unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's 404 & Redirects admin page. The vulnerability has a CVSS score of 7.2 and is considered HIGH severity. The CVE was published on 2026-06-24T07:16:30.093Z and last modified on 2026-06-29T20:17:41.527Z.

Vendor
joomunited
Product
WP Meta SEO
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-06-29
Advisory published
2026-06-24
Advisory updated
2026-06-29

Who should care

Administrators and users of the WP Meta SEO plugin for WordPress should be aware of this vulnerability and take immediate action to update to a patched version. Additionally, users who have installed the plugin and have not updated to a patched version are at risk of exploitation. WordPress administrators and security teams should prioritize patching this vulnerability to prevent potential attacks.

Technical summary

The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. The plugin's `wpmsTemplateRedirect()` hook detects a 404 and concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']`, inserting the value into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This allows unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's 404 & Redirects admin page. The vulnerability is caused by the lack of proper input validation and sanitization of user-supplied input. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N.

Defensive priority

High priority should be given to patching this vulnerability, as it allows for unauthenticated stored cross-site scripting. Administrators should update to a patched version of the WP Meta SEO plugin as soon as possible.

Recommended defensive actions

  • Update to a patched version of the WP Meta SEO plugin (version 4.5.19 or later).
  • Review and monitor the plugin's 404 & Redirects admin page for suspicious activity.
  • Implement additional security measures, such as web application firewalls and intrusion detection systems, to detect and prevent potential attacks.
  • Conduct regular vulnerability scans and penetration testing to identify and address potential vulnerabilities.
  • Consider implementing compensating controls, such as input validation and sanitization, to prevent similar vulnerabilities.

Evidence notes

The CVE-2026-9643 vulnerability was reported by security researchers at Wordfence. The vulnerability is caused by the lack of proper input validation and sanitization of user-supplied input. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability has a CVSS score of 7.2 and is considered HIGH severity.

Official resources

This article is AI-assisted and based on the supplied source corpus.