CVE-2026-11370

WP Meta SEO <= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new_link' Parameter

mediumServer-Side Request Forgery (SSRF)
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.5.18
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected pluginwp-meta-seo
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation material, technical research plans for specific vulnerabilities, or functional payloads, even for research or educational purposes. You can find information on general security best practices and how to defend aga…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation material, technical research plans for specific vulnerabilities, or functional payloads, even for research or educational purposes. You can find information on general security best practices and how to defend against Server-Side Request Forgery (SSRF) vulnerabilities by searching for resources from the OWASP Top Ten project or the official WordPress Developer Documentation on security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Meta SEO plugin for WordPress (versions up to and including 4.5.18) is vulnerable to an authenticated Server-Side Request Forgery (SSRF) via the 'new_link' parameter. This allows attackers with at least Contributor-level privileges to perform arbitrary web requests from the server and observe the resulting HTTP status codes, enabling internal host and service enumeration.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.