Security Alert Summary
The WP Meteor Website Speed Optimization Addon plugin for WordPress is affected by a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-2902). Insufficient input sanitization and output escaping in the plugin allow unauthenticated attackers to inject script content into pages via a placeholder used by the plugin. Injected scripts will execute when an affected page is viewed.
CVE Details
- CVE ID: CVE-2026-2902
- Affected plugin / component: WP Meteor Website Speed Optimization Addon plugin for WordPress
- Affected versions: All versions up to, and including, 3.4.16
- Published: April 29, 2026 at 12:16:18 PM
- Last modified: April 29, 2026 at 12:16:18 PM
- CVSS v3.1 base score: 6.1 (MEDIUM)
- CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Authentication / privileges / user interaction: No privileges required (PR:N); user interaction required (UI:R); attack vector: Network; attack complexity: Low
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation)
Technical Details
The vulnerability is a stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping in the plugin. According to the description, the problem occurs via the plugin’s frontend_rewrite function and specifically involves the WPMETEOR[N]WPMETEOR placeholder content. Because input that populates this placeholder is not properly sanitized or escaped on output, an attacker can store arbitrary script content that will run in the context of any user who views the injected page.
This is a stored XSS issue: malicious payloads are persisted by the plugin and executed later when a user accesses the affected page. The impact described in the CVE is limited to confidentiality and integrity (both rated Low) and does not indicate availability impact.
How This Could Impact Your Website
Consider a site with several users: a site owner, internal staff who publish content, and external contributors or contractors. If an unauthenticated attacker is able to inject a script via the plugin placeholder, that script may run in the browsers of staff or contributors who view the affected page. Practical consequences include exposure of limited confidential information visible in a users browser, modification of content displayed to users, and an increased risk of targeted phishing or social engineering aimed at staff whose email addresses or other details are accessible.
The issue does not necessarily imply full site takeover, but it raises real risks for user data and trustworthiness of content. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other low-trust accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and access logs for unusual behavior or unexpected content changes.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/wp-meteor/trunk/blocker/FirstInteraction/UltimateReorder.php#L186
- https://plugins.trac.wordpress.org/browser/wp-meteor/trunk/blocker/FirstInteraction/UltimateReorder.php#L68
- https://plugins.trac.wordpress.org/browser/wp-meteor/trunk/frontend/Rewrite.php#L43
- https://plugins.trac.wordpress.org/changeset/3466538/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dc92b20a-fb9b-477c-8fe4-68897c1fd07e?source=cve
