Server-Side Request Forgery in WP Meta SEO Plugin for WordPress
CVE-2026-11370

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: WP Meta Seo
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-11370?

The WP Meta SEO plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF), allowing attackers with contributor-level access or higher to exploit the 'new_link' parameter. This vulnerability enables them to initiate web requests to arbitrary locations from the web application. Such actions could potentially expose sensitive internal systems, enabling attackers to query and alter information. Furthermore, the status code from these outbound requests is returned in the AJAX JSON response, which could help attackers identify internal hosts and access metadata from cloud services.

Affected Version(s)

WP Meta SEO 0 <= 4.5.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-meta-seo/ta...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Enes Ismail

CVE-2026-11370 Data

JSON