WordPress Plugin Vulnerabilities

Rank Math SEO < 1.0.232 - Admin+ Remote Code Execution

Description

The plugin is vulnerable to Remote Code Execution. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
seo-by-rank-math
Fixed in 1.0.232

References

CVE
CVE-2024-11620
URL
https://patchstack.com/database/wordpress/plugin/seo-by-rank-math/vulnerability/wordpress-rank-math-seo-plugin-1-0-231-arbitrary-htaccess-overwrite-to-remote-code-execution-rce-vulnerability

Classification

Type
RFI
OWASP top 10
A1: Injection
CWE
CWE-98
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
2321728d-8cf5-4284-9010-2d67ed81d362

Timeline

Publicly Published
2024-11-22 (about 1 year ago)
Added
2024-12-02 (about 1 year ago)
Last Updated
2024-12-02 (about 1 year ago)

Other

Published
Title
Published
2025-08-22
Title
Lunna <= 1.15 - Unauthenticated Local File Inclusion
Published
2024-04-17
Title
Salient Shortcodes < 1.5.4 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Published
2026-02-25
Title
ElectroServ | Electrical Repair Service WordPress Theme <= 1.3.2 - Unauthenticated Local File Inclusion
Published
2025-04-18
Title
JetReviews < 2.3.7 - Authenticated (Contributor+) Local File Inclusion
Published
2025-10-04
Title
The7 < 12.8.1.1 - Authenticated (Contributor+) Local File Inclusion