Skip to main content

Rank Math SEO CVE-2026-34892

| EUVDEUVD-2026-36919 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-3h4w-ppp7-mr7f
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-exploitable by any Subscriber-level authenticated account (PR:L, AV:N, AC:L); scope unchanged, no confidentiality or availability impact, only High integrity via unauthorized privileged action execution.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:16 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.

AnalysisAI

Broken access control in the Rank Math SEO WordPress plugin (versions ≤ 1.0.271) allows authenticated subscribers to invoke privileged functionality beyond their authorization level. The missing authorization check (CWE-862) permits low-privileged WordPress Subscriber-role users to manipulate SEO settings or execute actions normally gated to editors or administrators, with a confirmed High integrity impact per CVSS. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.

Technical ContextAI

Rank Math SEO is a widely-deployed WordPress SEO plugin (CPE: cpe:2.3:a:rank_math_seo:rank_math_seo:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization), which occurs when a plugin endpoint or AJAX/REST action handler fails to verify that the calling user holds the required WordPress capability before executing privileged operations. WordPress plugins commonly register REST API routes or wp_ajax hooks without attaching appropriate current_user_can() capability checks, allowing any authenticated session holder - including the minimal Subscriber role - to invoke those handlers. The CVSS vector AV:N/AC:L/PR:L/UI:N reflects that the attack is fully network-exploitable by any authenticated low-privilege user with no special environmental conditions needed.

RemediationAI

Update Rank Math SEO to a version newer than 1.0.271 via the WordPress plugin dashboard (Plugins → Updates) or by downloading the latest release from the WordPress plugin repository; no exact confirmed fixed version number is available in the current advisory data, so administrators should update to the latest available release and verify the plugin changelog confirms remediation of this access control issue. As a compensating control pending patching, sites should disable open user registration (WordPress Settings → General → uncheck 'Anyone can register') to prevent external attackers from self-provisioning Subscriber accounts - note this does not mitigate risk from existing subscriber accounts or previously compromised credentials, and may affect sites relying on open enrollment for membership or e-commerce flows. Administrators should audit the subscriber-role user list for unauthorized additions. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/seo-by-rank-math/vulnerability/wordpress-rank-math-seo-plugin-1-0-271-broken-access-control-vulnerability for a confirmed fixed version number.

Share

CVE-2026-34892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy