[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvKeiE-z5b4oW-KOO-0eG5cEMOIOi7Mk7AUzyKRQPWxY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-12714","rank-math-seo-ai-seo-tools-to-dominate-seo-rankings-missing-authorization-to-unauthenticated-homepage-settings-modificat","Rank Math SEO – AI SEO Tools to Dominate SEO Rankings \u003C= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification","The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used.","seo-by-rank-math",null,"\u003C=1.0.271","1.0.271.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-28 21:09:47","2026-05-29 09:28:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdd072774-6f85-42de-a9d4-6826703ad839?source=api-prod",1,[22,23,24,25,26,27,28,29],"includes\u002Fmodules\u002Fseo-analysis\u002Fassets\u002Fcss\u002Fseo-analysis.css","includes\u002Frest\u002Fclass-rest-helper.php","languages\u002Frank-math.pot","rank-math.php","readme.txt","vendor\u002Fautoload.php","vendor\u002Fcomposer\u002Fautoload_real.php","vendor\u002Fcomposer\u002Fautoload_static.php","researched",false,3,"# Research Plan: CVE-2025-12714 - Rank Math SEO Unauthenticated Homepage Settings Modification\n\n## 1. Vulnerability Summary\nThe **Rank Math SEO** plugin (up to version 1.0.271) contains a missing authorization vulnerability in the `update_site_editor_homepage` function. This function is intended to allow administrators to update SEO settings (titles, meta descriptions, social metadata) directly from the WordPress Site Editor. However, because the function (likely registered as a REST API endpoint) fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`), any unauthenticated user can send a crafted request to modify the site's homepage SEO configuration.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** REST API endpoint (Namespace: `rankmath\u002Fv1`).\n*   **Probable Route:** `wp-json\u002Frankmath\u002Fv1\u002Fupdate_site_editor_homepage` (Inferred from function name and Rank Math REST patterns).\n*   **HTTP Method:** `POST`.\n*   **Authentication:** None (Unauthenticated).\n*   **Vulnerable Parameter:** The request body likely accepts a JSON object containing keys such as `title`, `description`, `facebook_title`, `twitter_description`, and `homepage_breadcrumbs_label`.\n*   **Preconditions:** The plugin must be active. The site may need to be using a block-based theme (Full Site Editing) for the specific code path to be active\u002Freachable, though the missing authorization usually makes the endpoint globally accessible regardless of the active theme.\n\n## 3. Code Flow (Inferred from Patch and Description)\n1.  **Route Registration:** The plugin registers a REST route using `register_rest_route()` in the `rankmath\u002Fv1` namespace.\n2.  **Missing Permission Callback:** The `permission_callback` for the `update_site_editor_homepage` route is either set to `__return_true` or lacks a call to `RankMath\\Rest\\Rest_Helper::can_manage_options()` or `current_user_can('manage_options')`.\n3.  **Data Processing:** The `update_site_editor_homepage` function receives the `WP_REST_Request`.\n4.  **Option Update:** It extracts settings from the request and uses `update_option()` or `RankMath\\Helper::update_all_settings()` to save values into the `rank-math-options-titles` option group without verifying the requester's identity.\n\n## 4. Nonce Acquisition Strategy\nWhile many WordPress REST API endpoints require a `wp_rest` nonce for authenticated sessions, unauthenticated vulnerabilities often bypass nonce checks if the `permission_callback` returns `true` and no explicit nonce verification exists within the function body.\n\nIf a nonce is required:\n1.  **Identify Script:** Rank Math enqueues scripts for the Site Editor.\n2.  **Detection:** The nonce is likely localized via `wp_localize_script` under the key `rankMath`.\n3.  **Extraction:**\n    *   Create a test page to ensure scripts load (if needed): `wp post create --post_type=page --post_status=publish --post_content='[rank_math_breadcrumb]'`\n    *   Navigate to the homepage or the created page.\n    *   Execute in browser: `browser_eval(\"window.rankMath?.restNonce\")` or `browser_eval(\"window.rankMath?.nonce\")`.\n\n*Note: If the vulnerability is truly unauthenticated modification, the endpoint may ignore nonces entirely.*\n\n## 5. Exploitation Strategy\nPerform a `POST` request to the suspected endpoint with a payload designed to change the homepage title and description.\n\n*   **Request Method:** `POST`\n*   **URL:** `\u002Fwp-json\u002Frankmath\u002Fv1\u002Fupdate_site_editor_homepage`\n*   **Content-Type:** `application\u002Fjson`\n*   **Payload (JSON):**\n    ```json\n    {\n        \"title\": \"Pwned Homepage Title\",\n        \"description\": \"This site has been modified by an unauthenticated attacker.\",\n        \"facebook_title\": \"Malicious Social Title\",\n        \"homepage_breadcrumbs_label\": \"Hacked\"\n    }\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `seo-by-rank-math` version `1.0.271` is installed and activated.\n2.  **Initial State:** Set a legitimate homepage title via the dashboard (Rank Math -> Titles & Meta -> Homepage).\n3.  **Verify Initial State:**\n    ```bash\n    wp option get rank-math-options-titles --format=json | jq '.[ \"homepage_title\" ]'\n    ```\n\n## 7. Expected Results\n*   The server should return a `200 OK` or `201 Created` status code.\n*   The response body should ideally confirm the updated settings.\n*   The site's metadata (viewed via homepage source) should reflect the new, malicious values.\n\n## 8. Verification Steps\n1.  **WP-CLI Check:**\n    ```bash\n    # Check the specific title option\n    wp option get rank-math-options-titles --format=json | jq '.[ \"homepage_title\" ]'\n    \n    # Check the description\n    wp option get rank-math-options-titles --format=json | jq '.[ \"homepage_description\" ]'\n    ```\n2.  **Frontend Check:**\n    Use `http_request` to fetch the homepage and grep for the injected title.\n    ```bash\n    # Verify the title tag\n    \u003Ctitle>Pwned Homepage Title\u003C\u002Ftitle>\n    ```\n\n## 9. Alternative Approaches\nIf `\u002Fupdate_site_editor_homepage` is not the exact route:\n1.  **Route Discovery:** Use `http_request` to `GET \u002Fwp-json\u002Frankmath\u002Fv1` and look for any \"homepage\" or \"editor\" related routes in the JSON response.\n2.  **Parameter Variation:** If the top-level keys don't work, try nesting settings under an `objectID` or `settings` key, as Rank Math often uses `objectID=0` to represent the homepage.\n3.  **AJAX Fallback:** Check for `wp_ajax_rank_math_save_settings` or similar handlers that might be missing `check_ajax_referer`.","The Rank Math SEO plugin for WordPress is vulnerable to unauthorized modification of homepage settings because its REST API permission checks fail to validate user capabilities when targeting the homepage. Unauthenticated attackers can exploit this to alter site titles, meta descriptions, and breadcrumb labels by sending a POST request to the plugin's REST API endpoints.","\u002F\u002F includes\u002Frest\u002Fclass-rest-helper.php line 117\npublic static function get_post_permissions_check( $request ) {\n\t$object_id = $request->get_param( 'objectID' );\n\tif ( $object_id === 0 ) {\n\t\treturn true;\n\t}","--- a\u002Fincludes\u002Frest\u002Fclass-rest-helper.php\n+++ b\u002Fincludes\u002Frest\u002Fclass-rest-helper.php\n@@ -117,7 +117,7 @@\n \tpublic static function get_post_permissions_check( $request ) {\n \t\t$object_id = $request->get_param( 'objectID' );\n \t\tif ( $object_id === 0 ) {\n-\t\t\treturn true;\n+\t\t\treturn self::can_manage_options();\n \t\t}","1. Target the Rank Math REST API endpoint responsible for updating settings, specifically `wp-json\u002Frankmath\u002Fv1\u002Fupdate_site_editor_homepage`.\n2. Prepare a POST request with a JSON payload containing the SEO settings to be modified (e.g., `title`, `description`, `homepage_breadcrumbs_label`, `facebook_title`).\n3. The exploit does not require any authentication (cookies or headers) or REST API nonces because the permission callback specifically returns true for an `objectID` of 0 (which corresponds to the site's homepage).\n4. Submit the request to overwrite the site's homepage SEO configuration, which will be immediately reflected in the frontend metadata and breadcrumbs across the site.","gemini-3-flash-preview","2026-06-04 15:22:53","2026-06-04 15:23:45",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.271","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseo-by-rank-math\u002Ftags\u002F1.0.271","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fseo-by-rank-math.1.0.271.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseo-by-rank-math\u002Ftags\u002F1.0.271.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fseo-by-rank-math.1.0.271.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseo-by-rank-math\u002Ftags"]