cbcvebase.
CVE-2023-0876
published 2023-03-20

CVE-2023-0876: The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading…

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.71%
49.0th percentile
The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
joomunitedwp_meta_seo< 4.5.34.5.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/wp-meta-seo/readme.txt
path/wp-content/plugins/wp-meta-seo/
url/wp-admin/admin-ajax.php
commandaction=wpms&wpms_nonce={{wpms_nonce}}&task=update_link_redirect&link_id={{link_id}}&link_redirect={{redirect_url}}
otherwpms_nonce
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the AJAX action 'wpms' and task 'update_link_redirect', which indicates an unauthorized redirect update attempt.
  • Monitor for HTTP 302 responses from WordPress pages (e.g., /?p=<id>) with a Location header pointing to an unexpected external domain, indicating a successful arbitrary redirect exploitation.
  • Fingerprint vulnerable installations by checking for the presence of /wp-content/plugins/wp-meta-seo/readme.txt and confirming plugin version <= 4.5.2 via the 'Stable tag' field.
  • The plugin automatically creates entries in the wp_wpms_links table for 404 pages; monitor for unexpected rows in this table with attacker-controlled redirect URLs.
  • Look for the nonce token 'wpms_nonce' being extracted from /wp-admin/ page body by low-privilege authenticated users, as a precursor step to the AJAX exploitation chain.
  • ·Exploitation requires an authenticated low-privilege WordPress user account; the attack chain involves login, nonce extraction from /wp-admin/, and then the unauthorized AJAX call.
  • ·The exploit flow requires a valid link_id from the wp_wpms_links table (auto-populated for 404 pages); without a pre-existing 404 entry, the redirect update may not succeed.
  • ·The Nuclei template uses a flow condition 'http(1) || http(2) && http(3) && http(4) && http(5) && http(6)', meaning version check (http1) or a 404 probe (http2) is sufficient to proceed; detection logic should account for both paths.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.