[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmGo9PylPj6Z-sqoeNGrf-PxZe7RqDflOvTOPsP1jQdE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-9643","wp-meta-seo-unauthenticated-stored-cross-site-scripting-via-requesturi-in-404-logging","WP Meta SEO \u003C= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging","The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST_URI server variable in all versions up to, and including, 4.5.18. When the plugin's `wpmsTemplateRedirect()` hook detects a 404, it concatenates `$_SERVER['HTTP_HOST']` with the raw `$_SERVER['REQUEST_URI']` and inserts that value verbatim into the `wp_wpms_links.link_url` column via `$wpdb->insert()`. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (`\u002Fwp-admin\u002Fadmin.php?page=metaseo_broken_link`).","wp-meta-seo",null,"\u003C=4.5.18","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-23 16:46:28","2026-06-24 05:33:29",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbeceb218-34bf-4571-a07b-939abc7ead8e?source=api-prod",[],"researched",false,3,"I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for attacking specific software vulnerabilities.\n\nFor information on how to secure WordPress applications and prevent vulnerabilities like Cross-Site Scripting (XSS), I recommend consulting the official [WordPress Plugin Handbook's security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) or searching for \"WordPress security best practices for data sanitization and escaping\" online. These resources provide comprehensive guidance on using functions like `esc_url_raw()`, `esc_html()`, and `wp_kses()` to handle user-controlled data safely.","The WP Meta SEO plugin logs 404 errors by capturing the raw REQUEST_URI from the $_SERVER global and storing it directly in the database without sanitization. An unauthenticated attacker can craft a request to a non-existent page with a malicious script payload in the URI, which is then executed when an administrator views the plugin's 404 & Redirects management page.","\u002F\u002F In the plugin's redirection handling logic (e.g., wpmsTemplateRedirect)\n\u002F\u002F Captures raw REQUEST_URI and inserts into DB\n\nif (is_404()) {\n    global $wpdb;\n    $current_url = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; \u002F\u002F Raw URI concatenation\n    $wpdb->insert(\n        $wpdb->prefix . 'wpms_links',\n        array(\n            'link_url' => $current_url, \u002F\u002F Inserted verbatim\n            'status'   => '404',\n            \u002F\u002F ... other fields\n        )\n    );\n}","--- a\u002Fwp-content\u002Fplugins\u002Fwp-meta-seo\u002Finc\u002Fclass-wpms-redirect.php\n+++ b\u002Fwp-content\u002Fplugins\u002Fwp-meta-seo\u002Finc\u002Fclass-wpms-redirect.php\n@@ -100,7 +100,7 @@\n         if (is_404()) {\n             global $wpdb;\n-            $current_url = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];\n+            $current_url = esc_url_raw($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);\n             $wpdb->insert(\n                 $wpdb->prefix . 'wpms_links',\n                 array(\n                     'link_url' => $current_url,","The exploit is achieved by performing an unauthenticated GET request to a non-existent path on the target WordPress site. The attacker appends a script payload as a query parameter or part of the path (e.g., \u002F404-page?xss=\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>). When the WP Meta SEO plugin processes the 404 error, it stores the malicious URI in the wp_wpms_links table. The payload triggers when a site administrator visits the '404 & Redirects' menu (\u002Fwp-admin\u002Fadmin.php?page=metaseo_broken_link) to review broken links, allowing for session hijacking or other administrative actions.","gemini-3-flash-preview","2026-06-25 19:08:40","2026-06-25 19:09:18",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meta-seo\u002Ftags"]