Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The helper intended for SEO metadata also permits writing any non-allowlisted key directly into the WordPress post meta payload unless WP_REQUIRE_ALLOWLIST=1 is set. That broadens the script from a constrained SEO updater into a generic arbitrary postmeta writer, which can modify unrelated plugin/application state and defeats the principle of least privilege for this skill.
