Rank Math SEO
Moderate fix1 remedy
cpe:2.3:a:rankmath:rankmath:*:*:*:*:wordpress:*:*, +1 more
Moderate fix1 remedy
- <= 1.0.271
Rank Math SEO WordPress Plugin Missing Authorization Vulnerability for Unauthenticated Homepage Settings Modification
Vulnerability
Patched
A vulnerability exists in the Rank Math SEO WordPress plugin, specifically in versions through 1.0.271, due to a lack of proper capability checks in the 'update_site_editor_homepage' function. This flaw allows unauthenticated users to alter various homepage SEO settings, such as the title, meta description, breadcrumbs label, and social media metadata. These unauthorized changes can significantly disrupt SEO performance and introduce malicious content on pages that utilize breadcrumbs.
Impact
Exploitation of this vulnerability could lead to unauthorized modifications of critical SEO settings, potentially harming the site's search engine rankings and allowing for the injection of harmful content into the site's breadcrumb trails.
Reproduction
To reproduce this vulnerability, send a POST request to the WordPress REST API endpoint '/wp/v2/updateMeta' without authentication. Include parameters to specify the object ID, object type, and the meta data to be updated. The absence of a capability check for unauthenticated users allows these changes to be made without authorization.
Remediation
Users are advised to update the Rank Math SEO plugin to version 1.0.271.1 or later.
Added: May 29, 2026, 11:21 AM
Updated: May 29, 2026, 11:21 AM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
0.6exploitability
8.6remediation
7.7relevance
9.8threat
4.8urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.