CVE-2026-9643

The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQUEST URI server variable in all versions up to, and including, 4.5.18. When the plugin's wpmsTemplateRedirect() hook detects a 404, it concatenates $ SERVER['HTTP HOST'] with the raw $ SERVER['REQUEST URI'] and inserts that value verbatim into the wp wpms links.link url column via $wpdb->insert(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator views the plugin's 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo broken link).