Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification
Description
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.271What Changed in the Fix
Changes introduced in v1.0.271.1
Source Code
WordPress.org SVN# Research Plan: CVE-2025-12714 - Rank Math SEO Unauthenticated Homepage Settings Modification ## 1. Vulnerability Summary The **Rank Math SEO** plugin (up to version 1.0.271) contains a missing authorization vulnerability in the `update_site_editor_homepage` function. This function is intended to …
Show full research plan
Research Plan: CVE-2025-12714 - Rank Math SEO Unauthenticated Homepage Settings Modification
1. Vulnerability Summary
The Rank Math SEO plugin (up to version 1.0.271) contains a missing authorization vulnerability in the update_site_editor_homepage function. This function is intended to allow administrators to update SEO settings (titles, meta descriptions, social metadata) directly from the WordPress Site Editor. However, because the function (likely registered as a REST API endpoint) fails to perform a capability check (e.g., current_user_can( 'manage_options' )), any unauthenticated user can send a crafted request to modify the site's homepage SEO configuration.
2. Attack Vector Analysis
- Endpoint: REST API endpoint (Namespace:
rankmath/v1). - Probable Route:
wp-json/rankmath/v1/update_site_editor_homepage(Inferred from function name and Rank Math REST patterns). - HTTP Method:
POST. - Authentication: None (Unauthenticated).
- Vulnerable Parameter: The request body likely accepts a JSON object containing keys such as
title,description,facebook_title,twitter_description, andhomepage_breadcrumbs_label. - Preconditions: The plugin must be active. The site may need to be using a block-based theme (Full Site Editing) for the specific code path to be active/reachable, though the missing authorization usually makes the endpoint globally accessible regardless of the active theme.
3. Code Flow (Inferred from Patch and Description)
- Route Registration: The plugin registers a REST route using
register_rest_route()in therankmath/v1namespace. - Missing Permission Callback: The
permission_callbackfor theupdate_site_editor_homepageroute is either set to__return_trueor lacks a call toRankMath\Rest\Rest_Helper::can_manage_options()orcurrent_user_can('manage_options'). - Data Processing: The
update_site_editor_homepagefunction receives theWP_REST_Request. - Option Update: It extracts settings from the request and uses
update_option()orRankMath\Helper::update_all_settings()to save values into therank-math-options-titlesoption group without verifying the requester's identity.
4. Nonce Acquisition Strategy
While many WordPress REST API endpoints require a wp_rest nonce for authenticated sessions, unauthenticated vulnerabilities often bypass nonce checks if the permission_callback returns true and no explicit nonce verification exists within the function body.
If a nonce is required:
- Identify Script: Rank Math enqueues scripts for the Site Editor.
- Detection: The nonce is likely localized via
wp_localize_scriptunder the keyrankMath. - Extraction:
- Create a test page to ensure scripts load (if needed):
wp post create --post_type=page --post_status=publish --post_content='[rank_math_breadcrumb]' - Navigate to the homepage or the created page.
- Execute in browser:
browser_eval("window.rankMath?.restNonce")orbrowser_eval("window.rankMath?.nonce").
- Create a test page to ensure scripts load (if needed):
Note: If the vulnerability is truly unauthenticated modification, the endpoint may ignore nonces entirely.
5. Exploitation Strategy
Perform a POST request to the suspected endpoint with a payload designed to change the homepage title and description.
- Request Method:
POST - URL:
/wp-json/rankmath/v1/update_site_editor_homepage - Content-Type:
application/json - Payload (JSON):
{ "title": "Pwned Homepage Title", "description": "This site has been modified by an unauthenticated attacker.", "facebook_title": "Malicious Social Title", "homepage_breadcrumbs_label": "Hacked" }
6. Test Data Setup
- Install Plugin: Ensure
seo-by-rank-mathversion1.0.271is installed and activated. - Initial State: Set a legitimate homepage title via the dashboard (Rank Math -> Titles & Meta -> Homepage).
- Verify Initial State:
wp option get rank-math-options-titles --format=json | jq '.[ "homepage_title" ]'
7. Expected Results
- The server should return a
200 OKor201 Createdstatus code. - The response body should ideally confirm the updated settings.
- The site's metadata (viewed via homepage source) should reflect the new, malicious values.
8. Verification Steps
- WP-CLI Check:
# Check the specific title option wp option get rank-math-options-titles --format=json | jq '.[ "homepage_title" ]' # Check the description wp option get rank-math-options-titles --format=json | jq '.[ "homepage_description" ]' - Frontend Check:
Usehttp_requestto fetch the homepage and grep for the injected title.# Verify the title tag <title>Pwned Homepage Title</title>
9. Alternative Approaches
If /update_site_editor_homepage is not the exact route:
- Route Discovery: Use
http_requesttoGET /wp-json/rankmath/v1and look for any "homepage" or "editor" related routes in the JSON response. - Parameter Variation: If the top-level keys don't work, try nesting settings under an
objectIDorsettingskey, as Rank Math often usesobjectID=0to represent the homepage. - AJAX Fallback: Check for
wp_ajax_rank_math_save_settingsor similar handlers that might be missingcheck_ajax_referer.
Summary
The Rank Math SEO plugin for WordPress is vulnerable to unauthorized modification of homepage settings because its REST API permission checks fail to validate user capabilities when targeting the homepage. Unauthenticated attackers can exploit this to alter site titles, meta descriptions, and breadcrumb labels by sending a POST request to the plugin's REST API endpoints.
Vulnerable Code
// includes/rest/class-rest-helper.php line 117 public static function get_post_permissions_check( $request ) { $object_id = $request->get_param( 'objectID' ); if ( $object_id === 0 ) { return true; }
Security Fix
@@ -117,7 +117,7 @@ public static function get_post_permissions_check( $request ) { $object_id = $request->get_param( 'objectID' ); if ( $object_id === 0 ) { - return true; + return self::can_manage_options(); }
Exploit Outline
1. Target the Rank Math REST API endpoint responsible for updating settings, specifically `wp-json/rankmath/v1/update_site_editor_homepage`. 2. Prepare a POST request with a JSON payload containing the SEO settings to be modified (e.g., `title`, `description`, `homepage_breadcrumbs_label`, `facebook_title`). 3. The exploit does not require any authentication (cookies or headers) or REST API nonces because the permission callback specifically returns true for an `objectID` of 0 (which corresponds to the site's homepage). 4. Submit the request to overwrite the site's homepage SEO configuration, which will be immediately reflected in the frontend metadata and breadcrumbs across the site.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.