[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6T74yyQZVgV5N6DtSV0dM-FeKgvTJkPnW2YJ0MQjPAk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-34892","rank-math-seo-ai-seo-tools-to-dominate-seo-rankings-missing-authorization","Rank Math SEO – AI SEO Tools to Dominate SEO Rankings \u003C= 1.0.271 - Missing Authorization","The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.271. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","seo-by-rank-math",null,"\u003C=1.0.271","1.0.271.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-03 00:00:00","2026-06-08 14:48:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9d7838c8-938f-487a-9120-4cb13f0e6f6b?source=api-prod",6,[22,23,24,25,26,27,28,29],"includes\u002Fmodules\u002Fseo-analysis\u002Fassets\u002Fcss\u002Fseo-analysis.css","includes\u002Frest\u002Fclass-rest-helper.php","languages\u002Frank-math.pot","rank-math.php","readme.txt","vendor\u002Fautoload.php","vendor\u002Fcomposer\u002Fautoload_real.php","vendor\u002Fcomposer\u002Fautoload_static.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-34892 (Rank Math SEO)\n\n## 1. Vulnerability Summary\nThe **Rank Math SEO** plugin for WordPress (versions \u003C= 1.0.271) contains a **Missing Authorization** vulnerability within its \"SEO Analysis\" ability framework. The plugin introduces \"Abilities\" (as seen in `vendor\u002Fcomposer\u002Fautoload_static.php`) intended for auditing and fixing SEO issues. Specifically, the functionality tied to the `RankMath\\Abilities\\SEO_Analysis\\Fix_Site_SEO` class fails to implement sufficient capability checks.\n\nThis allows an authenticated user with minimal privileges (Subscriber level) to trigger site-wide \"fixes\" that modify critical WordPress options (like the site tagline) or bulk-modify post metadata, actions that should be restricted to administrators.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API\n*   **Route:** `\u002Fwp-json\u002Frankmath\u002Fv1\u002Ffix-site-seo` (derived from `Rest_Helper::BASE` and `languages\u002Frank-math.pot` function titles)\n*   **HTTP Method:** `POST`\n*   **Authentication:** Authenticated (Subscriber level and above)\n*   **Vulnerable Parameter:** `test_id` (determines which fix to run), `value` (payload for specific fixes)\n*   **Required Headers:** `X-WP-Nonce` (standard WordPress REST API nonce)\n\n## 3. Code Flow\n1.  **Entry Point:** The REST API router receives a request to `rankmath\u002Fv1\u002Ffix-site-seo`.\n2.  **Dispatch:** The request is routed to a handler likely associated with `RankMath\\Abilities\\SEO_Analysis\\Fix_Site_SEO` (registered in `includes\u002Fabilities\u002Fseo-analysis\u002Fclass-fix-site-seo.php`).\n3.  **Missing Check:** The `permission_callback` for this route either uses `__return_true`, checks only `is_user_logged_in()`, or relies on a `Rest_Helper` check that does not adequately verify the `rank_math_site_analysis` or `manage_options` capability for this specific action.\n4.  **Sink:** The `Fix_Site_SEO::run()` method (or equivalent) executes logic based on the `test_id`.\n    *   If `test_id` is `site_description`, it calls `update_option( 'blogdescription', $request->get_param( 'value' ) )` (as indicated by the POT string: *\"Site tagline updated to: \\\"%s\\\".\"*).\n    *   If `test_id` is `focus_keywords`, it bulk updates post meta across the site.\n\n## 4. Nonce Acquisition Strategy\nWordPress REST API endpoints require a `wp_rest` nonce. Since the vulnerability requires Subscriber authentication, we can obtain this nonce from the WordPress admin dashboard.\n\n1.  **Login:** Authenticate as a Subscriber user via the standard login flow.\n2.  **Navigate:** Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`).\n3.  **Extract:** The `wp-admin` area enqueues the `wp-api` script which localizes the nonce in the `wpApiSettings` object.\n4.  **Action:** Use `browser_eval` to extract the nonce:\n    ```javascript\n    window.wpApiSettings?.nonce\n    ```\n\n## 5. Exploitation Strategy\nWe will attempt to change the site's tagline (`blogdescription`), which is a site-wide configuration change normally requiring `manage_options`.\n\n### Step 1: Obtain the Nonce\n**Action:** Navigate to the dashboard as a Subscriber and extract the nonce.\n*   **Tool:** `browser_navigate` to `\u002Fwp-admin\u002F`\n*   **Tool:** `browser_eval` to get `window.wpApiSettings.nonce`\n\n### Step 2: Perform the Unauthorized Action\n**Action:** Send a POST request to the Rank Math REST endpoint to change the site tagline.\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-json\u002Frankmath\u002Fv1\u002Ffix-site-seo`\n*   **Method:** `POST`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n*   **Payload (JSON):**\n    ```json\n    {\n      \"test_id\": \"site_description\",\n      \"value\": \"Vulnerable Site Tagline - Exploited by Subscriber\"\n    }\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Install Rank Math SEO version 1.0.271.\n2.  **User Creation:**\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n3.  **Initial State:** Note the current tagline.\n    ```bash\n    wp option get blogdescription\n    ```\n\n## 7. Expected Results\n*   **Response Code:** `200 OK`\n*   **Response Body:** A JSON object containing a success message, such as:\n    `{\"message\": \"Site tagline updated to: \\\"Vulnerable Site Tagline - Exploited by Subscriber\\\".\"}`\n*   **Side Effect:** The WordPress site tagline is modified globally.\n\n## 8. Verification Steps\nAfter the HTTP request, verify the change using WP-CLI:\n```bash\nwp option get blogdescription\n# Expected output: Vulnerable Site Tagline - Exploited by Subscriber\n```\n\n## 9. Alternative Approaches\nIf the `site_description` fix is restricted, attempt a bulk metadata modification which is also handled by this ability:\n\n**Payload (Bulk Focus Keywords):**\n```json\n{\n  \"test_id\": \"focus_keywords\",\n  \"post_limit\": 500\n}\n```\n*   **Expected Result:** The plugin will derive and set focus keywords for up to 500 posts, which is an unauthorized modification of site content. Verify via:\n    ```bash\n    wp post list --field=ID | xargs -I % wp post meta get % rank_math_focus_keyword\n    ```","Rank Math SEO (versions \u003C= 1.0.271) contains a missing authorization vulnerability in its REST API functionality. Authenticated users with low-level privileges (like Subscribers) can trigger site-wide 'SEO fixes' that should be restricted to administrators, allowing them to modify the site's tagline or bulk-update post metadata.","\u002F\u002F includes\u002Frest\u002Fclass-rest-helper.php @ 1.0.271\n\u002F**\n * Checks whether a given request has permission to read post.\n *\n * @param WP_REST_Request $request Full details about the request.\n *\n * @return true|WP_Error True if the request has read access, WP_Error object otherwise.\n *\u002F\npublic static function get_post_permissions_check( $request ) {\n    $object_id = $request->get_param( 'objectID' );\n    if ( $object_id === 0 ) {\n        return true;\n    }\n\n    $post = self::get_post( $object_id );","--- includes\u002Frest\u002Fclass-rest-helper.php\n+++ includes\u002Frest\u002Fclass-rest-helper.php\n@@ -104,7 +104,15 @@\n \tpublic static function get_post_permissions_check( $request ) {\n \t\t$object_id = $request->get_param( 'objectID' );\n \t\tif ( $object_id === 0 ) {\n-\t\t\treturn true;\n+\t\t\tif ( ! Helper::has_cap( 'titles' ) ) {\n+\t\t\t\treturn new WP_Error(\n+\t\t\t\t\t'rest_cannot_edit',\n+\t\t\t\t\t__( 'Sorry, you are not allowed to edit homepage SEO settings.', 'seo-by-rank-math' ),\n+\t\t\t\t\t[ 'status' => rest_authorization_required_code() ]\n+\t\t\t\t);\n+\t\t\t}\n+\t\t\treturn true;\n \t\t}\n \n \t\t$post = self::get_post( $object_id );","The vulnerability is exploited via the WordPress REST API by an authenticated user with at least Subscriber-level privileges. \n\n1. **Authentication & Nonce Collection:** An attacker logs in as a Subscriber and extracts the `wp_rest` nonce from the `wpApiSettings` object available in the WordPress dashboard source code.\n2. **Targeting the Endpoint:** The attacker sends a POST request to `\u002Fwp-json\u002Frankmath\u002Fv1\u002Ffix-site-seo`.\n3. **Payload Construction:** The payload targets a specific 'SEO test' to fix. For example, to change the site's tagline, the attacker uses `{\"test_id\": \"site_description\", \"value\": \"Target Tagline\"}`. To bulk-modify post metadata, the `test_id` can be set to `focus_keywords` with a `post_limit` parameter.\n4. **Authorization Bypass:** Because the permission callback (likely utilizing the vulnerable `get_post_permissions_check` or a similar logic error in the SEO Analysis ability) fails to verify administrative capabilities (like `manage_options`), the plugin executes the setting update or bulk modification immediately.","gemini-3-flash-preview","2026-06-26 05:34:03","2026-06-26 05:35:06",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.271","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseo-by-rank-math\u002Ftags\u002F1.0.271","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fseo-by-rank-math.1.0.271.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseo-by-rank-math\u002Ftags\u002F1.0.271.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fseo-by-rank-math.1.0.271.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseo-by-rank-math\u002Ftags"]