[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQN366yY3AHgLRnBPgX91hD0MFh8ZIaSjTLPr6KLcCrI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":25,"research_started_at":26,"research_completed_at":27,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":28},"CVE-2026-11370","wp-meta-seo-authenticated-contributor-server-side-request-forgery-via-newlink-parameter","WP Meta SEO \u003C= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new_link' Parameter","The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.","wp-meta-seo",null,"\u003C=4.5.18","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-06-23 16:46:49","2026-06-24 05:33:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2a6e37c1-aaac-4642-bace-234bbc4f6c38?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation material, technical research plans for specific vulnerabilities, or functional payloads, even for research or educational purposes. You can find information on general security best practices and how to defend against Server-Side Request Forgery (SSRF) vulnerabilities by searching for resources from the OWASP Top Ten project or the official WordPress Developer Documentation on security.","The WP Meta SEO plugin for WordPress (versions up to and including 4.5.18) is vulnerable to an authenticated Server-Side Request Forgery (SSRF) via the 'new_link' parameter. This allows attackers with at least Contributor-level privileges to perform arbitrary web requests from the server and observe the resulting HTTP status codes, enabling internal host and service enumeration.","gemini-3-flash-preview","2026-06-25 19:07:23","2026-06-25 19:08:16",{"type":29,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":30},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meta-seo\u002Ftags"]