Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11370

CVE-2026-11370: WP Meta SEO Plugin SSRF Vulnerability

CVE-2026-11370 is a Server-Side Request Forgery vulnerability in WP Meta SEO plugin for WordPress that allows authenticated attackers to probe internal networks. This article covers technical details, affected versions, and remediation.

Published:

CVE-2026-11370 Overview

CVE-2026-11370 is a Server-Side Request Forgery (SSRF) vulnerability in the WP Meta SEO plugin for WordPress. The flaw affects all versions up to and including 4.5.18 and is reachable through the new_link parameter. Authenticated users with contributor-level access or higher can coerce the WordPress server into issuing arbitrary outbound HTTP requests. The HTTP response status code is reflected back through the AJAX JSON response as status_code, creating an enumeration oracle that supports probing of internal hosts and cloud metadata services. The vulnerability is tracked under [CWE-918].

Critical Impact

Contributor-level attackers can pivot through the WordPress server to query internal services, modify state on internal endpoints, and enumerate cloud metadata endpoints such as the AWS Instance Metadata Service (IMDS).

Affected Products

  • WP Meta SEO plugin for WordPress, versions through 4.5.18
  • WordPress sites that allow contributor or higher role registration
  • Hosted WordPress deployments with network reachability to internal services or cloud metadata endpoints

Discovery Timeline

  • 2026-06-24 - CVE-2026-11370 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-11370

Vulnerability Analysis

The WP Meta SEO plugin exposes AJAX handlers that accept a user-controlled new_link parameter and dispatch an HTTP request to that URL from the WordPress server. The handler does not validate the destination against an allowlist, restrict the scheme, or block requests targeting private and link-local address ranges. An authenticated contributor can therefore submit URLs pointing at 127.0.0.1, RFC 1918 ranges, or cloud metadata addresses such as 169.254.169.254. The HTTP response status is returned to the attacker in the AJAX response as the status_code field, producing a usable oracle for blind enumeration.

Root Cause

The root cause is missing destination validation in the plugin's broken-link verification logic. The relevant code paths reside in inc/class.metaseo-admin.php and inc/class.metaseo-broken-link-table.php (see linked code review references). The plugin trusts the new_link parameter and passes it directly into WordPress HTTP request functions without normalizing the URL, restricting the scheme, or resolving the hostname against a deny list of internal ranges.

Attack Vector

The attack vector is network-based and requires authentication at contributor level or above. After logging in, the attacker invokes the vulnerable AJAX action with a new_link value pointing to an internal target. The plugin issues the request server-side and returns the response status to the attacker. By iterating through hosts, ports, and paths, the attacker can map internal infrastructure, reach administrative interfaces that trust loopback origin, or attempt to retrieve session tokens from cloud metadata services where instance role credentials are exposed.

No verified public exploit code is available. Technical details are documented in the WordPress Meta SEO Code Review and the Wordfence Vulnerability Report.

Detection Methods for CVE-2026-11370

Indicators of Compromise

  • Outbound HTTP requests from the WordPress PHP worker to 169.254.169.254, 127.0.0.1, or RFC 1918 addresses
  • Repeated POSTs to WordPress AJAX endpoints (admin-ajax.php) carrying a new_link parameter with non-public URLs
  • Unusual contributor-account activity issuing many AJAX requests in short bursts
  • Web server access logs showing identical request patterns differing only in the destination host or port in new_link

Detection Strategies

  • Inspect WordPress access logs for admin-ajax.php requests containing new_link values that resolve to internal, loopback, or link-local addresses
  • Monitor egress from web tier hosts and alert on connections to cloud metadata IPs originating from PHP processes
  • Correlate authentication events for contributor-role accounts with outbound HTTP activity to detect SSRF probing

Monitoring Recommendations

  • Enable WordPress debug logging for HTTP API calls and forward logs to a centralized SIEM for analysis
  • Apply Web Application Firewall rules that block new_link parameter values matching private IP ranges or metadata hostnames
  • Track creation of new low-privilege accounts and flag any that subsequently exercise plugin AJAX handlers

How to Mitigate CVE-2026-11370

Immediate Actions Required

  • Update the WP Meta SEO plugin to a version later than 4.5.18 once the vendor publishes a fix
  • Audit all contributor, author, and editor accounts and remove unused or suspicious users
  • Restrict outbound network access from the WordPress server to required destinations only, blocking cloud metadata endpoints at the host firewall
  • Enforce IMDSv2 on AWS workloads to prevent unauthenticated metadata retrieval via SSRF

Patch Information

At the time of publication, the NVD entry references code in version 4.5.18 as vulnerable. Administrators should consult the Wordfence Vulnerability Report for the latest patched version and upgrade once available.

Workarounds

  • Disable the WP Meta SEO plugin until a patched version is installed
  • Revoke contributor-level and higher access from untrusted accounts to remove the precondition for exploitation
  • Deploy WAF rules that reject requests to admin-ajax.php where new_link contains internal IP literals, localhost, or 169.254.169.254
bash
# Example: block outbound requests to cloud metadata from the WordPress host
iptables -A OUTPUT -d 169.254.169.254 -m owner --uid-owner www-data -j REJECT
iptables -A OUTPUT -d 127.0.0.0/8 -m owner --uid-owner www-data ! -o lo -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.