Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-exploitable by any Subscriber-level authenticated account (PR:L, AV:N, AC:L); scope unchanged, no confidentiality or availability impact, only High integrity via unauthorized privileged action execution.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.
AnalysisAI
Broken access control in the Rank Math SEO WordPress plugin (versions ≤ 1.0.271) allows authenticated subscribers to invoke privileged functionality beyond their authorization level. The missing authorization check (CWE-862) permits low-privileged WordPress Subscriber-role users to manipulate SEO settings or execute actions normally gated to editors or administrators, with a confirmed High integrity impact per CVSS. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
Technical ContextAI
Rank Math SEO is a widely-deployed WordPress SEO plugin (CPE: cpe:2.3:a:rank_math_seo:rank_math_seo:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization), which occurs when a plugin endpoint or AJAX/REST action handler fails to verify that the calling user holds the required WordPress capability before executing privileged operations. WordPress plugins commonly register REST API routes or wp_ajax hooks without attaching appropriate current_user_can() capability checks, allowing any authenticated session holder - including the minimal Subscriber role - to invoke those handlers. The CVSS vector AV:N/AC:L/PR:L/UI:N reflects that the attack is fully network-exploitable by any authenticated low-privilege user with no special environmental conditions needed.
RemediationAI
Update Rank Math SEO to a version newer than 1.0.271 via the WordPress plugin dashboard (Plugins → Updates) or by downloading the latest release from the WordPress plugin repository; no exact confirmed fixed version number is available in the current advisory data, so administrators should update to the latest available release and verify the plugin changelog confirms remediation of this access control issue. As a compensating control pending patching, sites should disable open user registration (WordPress Settings → General → uncheck 'Anyone can register') to prevent external attackers from self-provisioning Subscriber accounts - note this does not mitigate risk from existing subscriber accounts or previously compromised credentials, and may affect sites relying on open enrollment for membership or e-commerce flows. Administrators should audit the subscriber-role user list for unauthorized additions. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/seo-by-rank-math/vulnerability/wordpress-rank-math-seo-plugin-1-0-271-broken-access-control-vulnerability for a confirmed fixed version number.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36919
GHSA-3h4w-ppp7-mr7f