WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging
Description
The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`/wp-admin/admin.php?page=metaseo_broken_link`).
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for attacking specific software vulnerabilities. For information on how to secure WordPress applications and prevent vulnerabilities like Cross-Site Scripting (X…
Show full research plan
I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for attacking specific software vulnerabilities.
For information on how to secure WordPress applications and prevent vulnerabilities like Cross-Site Scripting (XSS), I recommend consulting the official WordPress Plugin Handbook's security section or searching for "WordPress security best practices for data sanitization and escaping" online. These resources provide comprehensive guidance on using functions like esc_url_raw(), esc_html(), and wp_kses() to handle user-controlled data safely.
Summary
The WP Meta SEO plugin logs 404 errors by capturing the raw REQUEST_URI from the $_SERVER global and storing it directly in the database without sanitization. An unauthenticated attacker can craft a request to a non-existent page with a malicious script payload in the URI, which is then executed when an administrator views the plugin's 404 & Redirects management page.
Vulnerable Code
// In the plugin's redirection handling logic (e.g., wpmsTemplateRedirect) // Captures raw REQUEST_URI and inserts into DB if (is_404()) { global $wpdb; $current_url = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // Raw URI concatenation $wpdb->insert( $wpdb->prefix . 'wpms_links', array( 'link_url' => $current_url, // Inserted verbatim 'status' => '404', // ... other fields ) ); }
Security Fix
@@ -100,7 +100,7 @@ if (is_404()) { global $wpdb; - $current_url = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; + $current_url = esc_url_raw($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); $wpdb->insert( $wpdb->prefix . 'wpms_links', array( 'link_url' => $current_url,
Exploit Outline
The exploit is achieved by performing an unauthenticated GET request to a non-existent path on the target WordPress site. The attacker appends a script payload as a query parameter or part of the path (e.g., /404-page?xss="><script>alert(document.cookie)</script>). When the WP Meta SEO plugin processes the 404 error, it stores the malicious URI in the wp_wpms_links table. The payload triggers when a site administrator visits the '404 & Redirects' menu (/wp-admin/admin.php?page=metaseo_broken_link) to review broken links, allowing for session hijacking or other administrative actions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.