WP Meta SEO <= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new_link' Parameter
Description
The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=4.5.18
Patches
Vulnerability mechanics
Root cause
"Missing validation of the 'new_link' parameter in the AJAX handler allows arbitrary outbound HTTP requests."
Attack vector
An authenticated attacker with contributor-level access or higher sends a crafted AJAX request to the `wp_ajax_wpms` action, supplying an arbitrary URL in the `new_link` parameter. The plugin makes an HTTP request to that URL and returns the response status code in the JSON output. This allows the attacker to probe internal network hosts (e.g., 10.0.0.1:80) and cloud metadata endpoints (e.g., 169.254.169.254) by observing which status codes are returned, effectively creating an SSRF oracle [CWE-918] [ref_id=1].
Affected code
The vulnerability resides in the `startProcess` AJAX handler registered via `add_action('wp_ajax_wpms', array($this, 'startProcess'))` in `class.metaseo-admin.php`. The handler accepts a `new_link` parameter and makes an outbound HTTP request to the attacker-supplied URL without validating the scheme or host, then reflects the HTTP response status code back in the AJAX JSON response.
What the fix does
The advisory does not include a published patch. The recommended remediation is to validate the `new_link` parameter against an allowlist of permitted schemes (e.g., only `http` and `https`) and to block requests to private IP ranges (RFC 1918) and cloud metadata IPs (e.g., 169.254.169.254). Without such validation, any authenticated user with contributor-level access can use the plugin as a proxy to scan internal services.
Preconditions
- authAttacker must have a WordPress account with contributor-level access or higher.
- configThe WP Meta SEO plugin must be installed and active.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/inc/class.metaseo-admin.phpmitre
- plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/inc/class.metaseo-broken-link-table.phpmitre
- plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/inc/class.metaseo-broken-link-table.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/2a6e37c1-aaac-4642-bace-234bbc4f6c38mitre
News mentions
0No linked articles in our index yet.