CVE-2024-9161

moderate-risk
Published 2024-10-05

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'update_metadata' function in all versions up to, and including, 1.0.228. This makes it possible for unauthenticated attackers to insert new and update existing metadata beginning with 'rank_math', and delete arbitrary existing user metadata and term metadata. Deleting existing usermeta can cause a loss of access to the administrator dashboard for any registered users, including Administrators.

Do I need to act?

!
23.1% chance of exploitation in next 30 days
EPSS score — higher than 77% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Seo

Affected Vendors

Rankmath

References (6)

Product https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/...
Product https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/...
Product https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/...
Product https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/...
Patch https://plugins.trac.wordpress.org/changeset/3161896/
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/7df39a64-76c5-4ebe-a27...
43
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 14/34 · Moderate
Exposure 5/34 · Minimal