CVE-2025-12714

Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.0.271.1
Patched in
1d
Time to patch

Description

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.271
PublishedMay 28, 2026
Last updatedMay 29, 2026
Affected pluginseo-by-rank-math

What Changed in the Fix

Changes introduced in v1.0.271.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2025-12714 - Rank Math SEO Unauthenticated Homepage Settings Modification ## 1. Vulnerability Summary The **Rank Math SEO** plugin (up to version 1.0.271) contains a missing authorization vulnerability in the `update_site_editor_homepage` function. This function is intended to …

Show full research plan

Research Plan: CVE-2025-12714 - Rank Math SEO Unauthenticated Homepage Settings Modification

1. Vulnerability Summary

The Rank Math SEO plugin (up to version 1.0.271) contains a missing authorization vulnerability in the update_site_editor_homepage function. This function is intended to allow administrators to update SEO settings (titles, meta descriptions, social metadata) directly from the WordPress Site Editor. However, because the function (likely registered as a REST API endpoint) fails to perform a capability check (e.g., current_user_can( 'manage_options' )), any unauthenticated user can send a crafted request to modify the site's homepage SEO configuration.

2. Attack Vector Analysis

  • Endpoint: REST API endpoint (Namespace: rankmath/v1).
  • Probable Route: wp-json/rankmath/v1/update_site_editor_homepage (Inferred from function name and Rank Math REST patterns).
  • HTTP Method: POST.
  • Authentication: None (Unauthenticated).
  • Vulnerable Parameter: The request body likely accepts a JSON object containing keys such as title, description, facebook_title, twitter_description, and homepage_breadcrumbs_label.
  • Preconditions: The plugin must be active. The site may need to be using a block-based theme (Full Site Editing) for the specific code path to be active/reachable, though the missing authorization usually makes the endpoint globally accessible regardless of the active theme.

3. Code Flow (Inferred from Patch and Description)

  1. Route Registration: The plugin registers a REST route using register_rest_route() in the rankmath/v1 namespace.
  2. Missing Permission Callback: The permission_callback for the update_site_editor_homepage route is either set to __return_true or lacks a call to RankMath\Rest\Rest_Helper::can_manage_options() or current_user_can('manage_options').
  3. Data Processing: The update_site_editor_homepage function receives the WP_REST_Request.
  4. Option Update: It extracts settings from the request and uses update_option() or RankMath\Helper::update_all_settings() to save values into the rank-math-options-titles option group without verifying the requester's identity.

4. Nonce Acquisition Strategy

While many WordPress REST API endpoints require a wp_rest nonce for authenticated sessions, unauthenticated vulnerabilities often bypass nonce checks if the permission_callback returns true and no explicit nonce verification exists within the function body.

If a nonce is required:

  1. Identify Script: Rank Math enqueues scripts for the Site Editor.
  2. Detection: The nonce is likely localized via wp_localize_script under the key rankMath.
  3. Extraction:
    • Create a test page to ensure scripts load (if needed): wp post create --post_type=page --post_status=publish --post_content='[rank_math_breadcrumb]'
    • Navigate to the homepage or the created page.
    • Execute in browser: browser_eval("window.rankMath?.restNonce") or browser_eval("window.rankMath?.nonce").

Note: If the vulnerability is truly unauthenticated modification, the endpoint may ignore nonces entirely.

5. Exploitation Strategy

Perform a POST request to the suspected endpoint with a payload designed to change the homepage title and description.

  • Request Method: POST
  • URL: /wp-json/rankmath/v1/update_site_editor_homepage
  • Content-Type: application/json
  • Payload (JSON):
    {
        "title": "Pwned Homepage Title",
        "description": "This site has been modified by an unauthenticated attacker.",
        "facebook_title": "Malicious Social Title",
        "homepage_breadcrumbs_label": "Hacked"
    }
    

6. Test Data Setup

  1. Install Plugin: Ensure seo-by-rank-math version 1.0.271 is installed and activated.
  2. Initial State: Set a legitimate homepage title via the dashboard (Rank Math -> Titles & Meta -> Homepage).
  3. Verify Initial State:
    wp option get rank-math-options-titles --format=json | jq '.[ "homepage_title" ]'
    

7. Expected Results

  • The server should return a 200 OK or 201 Created status code.
  • The response body should ideally confirm the updated settings.
  • The site's metadata (viewed via homepage source) should reflect the new, malicious values.

8. Verification Steps

  1. WP-CLI Check:
    # Check the specific title option
    wp option get rank-math-options-titles --format=json | jq '.[ "homepage_title" ]'
    
    # Check the description
    wp option get rank-math-options-titles --format=json | jq '.[ "homepage_description" ]'
    
  2. Frontend Check:
    Use http_request to fetch the homepage and grep for the injected title.
    # Verify the title tag
    <title>Pwned Homepage Title</title>
    

9. Alternative Approaches

If /update_site_editor_homepage is not the exact route:

  1. Route Discovery: Use http_request to GET /wp-json/rankmath/v1 and look for any "homepage" or "editor" related routes in the JSON response.
  2. Parameter Variation: If the top-level keys don't work, try nesting settings under an objectID or settings key, as Rank Math often uses objectID=0 to represent the homepage.
  3. AJAX Fallback: Check for wp_ajax_rank_math_save_settings or similar handlers that might be missing check_ajax_referer.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Rank Math SEO plugin for WordPress is vulnerable to unauthorized modification of homepage settings because its REST API permission checks fail to validate user capabilities when targeting the homepage. Unauthenticated attackers can exploit this to alter site titles, meta descriptions, and breadcrumb labels by sending a POST request to the plugin's REST API endpoints.

Vulnerable Code

// includes/rest/class-rest-helper.php line 117
public static function get_post_permissions_check( $request ) {
	$object_id = $request->get_param( 'objectID' );
	if ( $object_id === 0 ) {
		return true;
	}

Security Fix

--- a/includes/rest/class-rest-helper.php
+++ b/includes/rest/class-rest-helper.php
@@ -117,7 +117,7 @@
 	public static function get_post_permissions_check( $request ) {
 		$object_id = $request->get_param( 'objectID' );
 		if ( $object_id === 0 ) {
-			return true;
+			return self::can_manage_options();
 		}

Exploit Outline

1. Target the Rank Math REST API endpoint responsible for updating settings, specifically `wp-json/rankmath/v1/update_site_editor_homepage`. 2. Prepare a POST request with a JSON payload containing the SEO settings to be modified (e.g., `title`, `description`, `homepage_breadcrumbs_label`, `facebook_title`). 3. The exploit does not require any authentication (cookies or headers) or REST API nonces because the permission callback specifically returns true for an `objectID` of 0 (which corresponds to the site's homepage). 4. Submit the request to overwrite the site's homepage SEO configuration, which will be immediately reflected in the frontend metadata and breadcrumbs across the site.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.