Unauthenticated Stored Cross-Site Scripting in WP Meta SEO Plugin for WordPress
CVE-2026-9643

7.2HIGH

Key Information:

Vendor: WordPress
Status: WP Meta Seo
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-9643?

The WP Meta SEO plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit stored cross-site scripting (XSS) via the REQUEST_URI server variable. This occurs in all versions up to and including 4.5.18. Specifically, when the plugin detects a 404 error, it mishandles user input by directly incorporating the HTTP_HOST and REQUEST_URI values into a database entry without proper sanitization. As a result, an attacker can inject malicious scripts that may execute whenever an admin accesses the related 404 & Redirects admin page, posing significant risks to website security.

Affected Version(s)

WP Meta SEO 0 <= 4.5.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-meta-seo/ta...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 26, 2026

Credit

melquisedeq ortiz

CVE-2026-9643 Data

JSON