CVE-2026-9643: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in joomunited WP Meta SEO
The WP Meta SEO plugin for WordPress contains an unauthenticated stored cross-site scripting (XSS) vulnerability in all versions up to and including 4.5.18. This occurs because the plugin inserts unsanitized data from the HTTP_HOST and REQUEST_URI server variables into the database when handling 404 errors. An attacker can exploit this by injecting malicious scripts that execute when an administrator views the plugin's 404 & Redirects admin page.
AI Analysis
Technical Summary
CVE-2026-9643 is a stored cross-site scripting vulnerability in the WP Meta SEO WordPress plugin by joomunited. The vulnerability arises in the wpmsTemplateRedirect() hook, which on detecting a 404 error concatenates the HTTP_HOST and raw REQUEST_URI server variables and inserts this combined value directly into the wp_wpms_links.link_url database column without sanitization. This allows unauthenticated attackers to inject arbitrary scripts that execute in the context of an administrator's browser when they access the plugin's 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link). The CVSS 3.1 score is 7.2 (High), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity with scope changed.
Potential Impact
An unauthenticated attacker can inject persistent malicious scripts into the plugin's database via manipulated HTTP_HOST and REQUEST_URI values. These scripts execute in the administrator's browser when viewing the affected admin page, potentially leading to credential theft, session hijacking, or other actions performed with administrator privileges. The vulnerability compromises confidentiality and integrity but does not affect availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid accessing the 404 & Redirects admin page or restrict access to trusted users only. Monitor official joomunited communications for updates and apply patches promptly once released.
CVE-2026-9643: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in joomunited WP Meta SEO
Description
The WP Meta SEO plugin for WordPress contains an unauthenticated stored cross-site scripting (XSS) vulnerability in all versions up to and including 4.5.18. This occurs because the plugin inserts unsanitized data from the HTTP_HOST and REQUEST_URI server variables into the database when handling 404 errors. An attacker can exploit this by injecting malicious scripts that execute when an administrator views the plugin's 404 & Redirects admin page.
CVSS v3.1
Score 7.2high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9643 is a stored cross-site scripting vulnerability in the WP Meta SEO WordPress plugin by joomunited. The vulnerability arises in the wpmsTemplateRedirect() hook, which on detecting a 404 error concatenates the HTTP_HOST and raw REQUEST_URI server variables and inserts this combined value directly into the wp_wpms_links.link_url database column without sanitization. This allows unauthenticated attackers to inject arbitrary scripts that execute in the context of an administrator's browser when they access the plugin's 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link). The CVSS 3.1 score is 7.2 (High), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity with scope changed.
Potential Impact
An unauthenticated attacker can inject persistent malicious scripts into the plugin's database via manipulated HTTP_HOST and REQUEST_URI values. These scripts execute in the administrator's browser when viewing the affected admin page, potentially leading to credential theft, session hijacking, or other actions performed with administrator privileges. The vulnerability compromises confidentiality and integrity but does not affect availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid accessing the 404 & Redirects admin page or restrict access to trusted users only. Monitor official joomunited communications for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-26T18:57:23.139Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7813eed863c81e5f7346
Added to database: 06/24/2026, 06:24:19 UTC
Last enriched: 06/24/2026, 06:39:06 UTC
Last updated: 06/24/2026, 07:59:36 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.