WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging
Description
The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's wpmsTemplateRedirect() hook detects a 404, it concatenates $_SERVER['HTTP_HOST'] with the raw $_SERVER['REQUEST_URI'] and inserts that value verbatim into the wp_wpms_links.link_url column via $wpdb->insert(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=4.5.18
Patches
Vulnerability mechanics
Root cause
"Missing sanitization of `$_SERVER['REQUEST_URI']` before database insertion allows stored XSS."
Attack vector
An unauthenticated attacker can craft a URL containing malicious JavaScript in the `REQUEST_URI` (e.g., `/?"><script>alert(1)</script>`). When the server returns a 404, the plugin's `wpmsTemplateRedirect()` hook stores the full request URI (including the payload) into the database. The payload is later executed in the browser of any administrator who visits the plugin's 404 & Redirects admin page, because the stored value is output without escaping [CWE-79].
Affected code
The vulnerability resides in the `wpmsTemplateRedirect()` hook within `wp-meta-seo.php`. When a 404 is detected, the code concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()` without any sanitization or escaping. The stored value is later rendered unsafely on the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).
What the fix does
The advisory does not include a published patch. To remediate, the plugin must sanitize or escape `$_SERVER['REQUEST_URI']` before inserting it into the database (e.g., using `sanitize_text_field()` or `esc_url_raw()`), and must escape the stored value when rendering it on the admin page (e.g., using `esc_url()` or `esc_html()`). Without these changes, an attacker can inject arbitrary HTML and JavaScript that executes in the admin context.
Preconditions
- configThe WP Meta SEO plugin must be installed and active (version ≤ 4.5.18).
- networkThe attacker must be able to send HTTP requests to the WordPress site (no authentication required).
- inputThe requested URL must trigger a 404 response so that `wpmsTemplateRedirect()` executes.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/inc/class.metaseo-broken-link-table.phpmitre
- plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/wp-meta-seo.phpmitre
- plugins.trac.wordpress.org/browser/wp-meta-seo/tags/4.5.18/wp-meta-seo.phpmitre
- plugins.trac.wordpress.org/changesetmitre
- ti.wordfence.io/vulnerabilities/ca91e41d-b728-4eb0-86d5-043813d8c2c1mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/beceb218-34bf-4571-a07b-939abc7ead8emitre
News mentions
0No linked articles in our index yet.