CVE-2026-8942

Vulnerability

The MetaMagic SEO Plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.6. The metamagic_update_options function lacks proper nonce validation [1], allowing attackers to forge requests that modify the plugin's SEO settings. The vulnerable code resides in /trunk/metamagic.php [2].

Exploitation

An unauthenticated attacker can craft a malicious request that modifies plugin settings, such as enabling or disabling the plugin or toggling the output of description and keyword meta tags. The attack requires tricking a logged-in site administrator into performing an action like clicking a crafted link. No other authentication or network position is needed beyond basic web access.

Impact

Successful exploitation allows the attacker to alter the plugin's SEO configuration, which could degrade the site's search engine optimization, lead to unintended meta tag exposure, or disable the plugin entirely. The attack does not directly compromise other parts of the WordPress installation, but it affects the site's SEO appearance.

Mitigation

No fix has been released as of the publication date (2026-05-27). Users should disable the plugin until an update is available or implement a Web Application Firewall (WAF) rule to block forged requests. The plugin's vendor has not yet provided a patched version.